vestacp cert letsencrypt

readme.md

• install letsencrypt: https://github.com/letsencrypt/letsencrypt#installation
• (optionally) make symlink: ln -s /etc/letsencrypt/letsencrypt-auto /usr/local/bin/letsencrypt

Certs will be generated/renewed to /etc/letsencrypt/live/<domain>/, so configure your webserver to take them from here OR symlink them to any domain directory (like I do)

My init/renew command uses webroot authenticator, so you need to specify webroot path. In that directory letsencrypt will put .something/something/xxx and remote server will try to access that file to verify you have full access to that domain.

If authentication fails, it probably is not accessible from outside. Usually it is caused by rule disallowing hidden files/directories to be show - you will need to modify it to allow that generated directory+file.

Vesta tweaks

put force-https files to /usr/local/vesta/data/templates/web/nginx/php5-fpm (vesta 0.9.8) or to parent directory (older versions? try yourself), and then in Vesta change nginx template to force-https

force-http.tpl

server {
    listen      %ip%:%web_port%;
    server_name %domain_idn% %alias_idn%;
    location / {
        rewrite ^(.*) https://%domain_idn%$1 permanent;
    }
}

force-https.stpl

server {
    listen      %ip%:%web_ssl_port%;
    server_name %domain_idn% %alias_idn%;
    root        %sdocroot%;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/%domain%.log combined;
    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
    error_log   /var/log/nginx/domains/%domain%.error.log error;

    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;

    location / {

        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    %backend_lsnr%;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }

    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     /etc/nginx/conf.d/webmail.inc*;

    include     %home%/%user%/conf/web/snginx.%domain%.conf*;
}

main.md

init & renew

replace ikw.cz with domain AND admin with vesta user

letsencrypt certonly \
 --authenticator webroot \
 --renew-by-default \
 --agree-tos \
 --webroot-path /home/admin/web/ikw.cz/public_html \
 --domains ikw.cz,www.ikw.cz



# only init
rm -rf /tmp/ssl.ikw.cz
mkdir /tmp/ssl.ikw.cz
cp /etc/letsencrypt/live/ikw.cz/fullchain.pem /tmp/ssl.ikw.cz/ikw.cz.pem
cp /etc/letsencrypt/live/ikw.cz/privkey.pem /tmp/ssl.ikw.cz/ikw.cz.key
cp /etc/letsencrypt/live/ikw.cz/cert.pem /tmp/ssl.ikw.cz/ikw.cz.crt
cp /etc/letsencrypt/live/ikw.cz/chain.pem /tmp/ssl.ikw.cz/ikw.cz.ca
v-add-web-domain-ssl admin ikw.cz /tmp/ssl.ikw.cz same yes
rm -rf /tmp/ssl.ikw.cz


rm /home/admin/conf/web/ssl.ikw.cz.*
ln -s /etc/letsencrypt/live/ikw.cz/fullchain.pem /home/admin/conf/web/ssl.ikw.cz.pem
ln -s /etc/letsencrypt/live/ikw.cz/privkey.pem /home/admin/conf/web/ssl.ikw.cz.key
ln -s /etc/letsencrypt/live/ikw.cz/cert.pem /home/admin/conf/web/ssl.ikw.cz.crt
ln -s /etc/letsencrypt/live/ikw.cz/chain.pem /home/admin/conf/web/ssl.ikw.cz.ca

renewcerts.sh

#!/usr/bin/env bash
# Renew Let's Encrypt SSL certs
# Replace next line with first command from `gistfile1.txt` and email on line 11 with yours
# Then add this script to your cron to run every two months or so (certs are issued for 3 months)

letsencrypt certonly --authenticator webroot --renew-by-default --agree-tos --webroot-path /home/admin/web/ikw.cz/public_html --domains ikw.cz,www.ikw.cz

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]
 else
        service apache2 reload        
	service nginx reload
fi