Created
August 13, 2019 13:01
-
-
Save growtopiajaw/00e8975015ef5e9dc9e6e012346d716e to your computer and use it in GitHub Desktop.
A sample Let's Encrypt renew script to renew a webserver with Apache & DNS-01 challenge method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| #root@growtopiajaw:/etc/letsencrypt# certbot -i apache -a manual -d example.com -d *.example.com --preferred-challenges dns | |
| #Saving debug log to /var/log/letsencrypt/letsencrypt.log | |
| #Plugins selected: Authenticator manual, Installer apache | |
| #Cert not yet due for renewal | |
| # | |
| #You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. | |
| #(ref: /etc/letsencrypt/renewal/example.com.conf) | |
| # | |
| #What would you like to do? | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #1: Attempt to reinstall this existing certificate | |
| #2: Renew & replace the cert (limit ~5 per 7 days) | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 | |
| #Renewing an existing certificate | |
| #Performing the following challenges: | |
| #dns-01 challenge for example.com | |
| #dns-01 challenge for example.com | |
| # | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #NOTE: The IP of this machine will be publicly logged as having requested this | |
| #certificate. If you're running certbot in manual mode on a machine that is not | |
| #your server, please ensure you're okay with that. | |
| # | |
| #Are you OK with your IP being logged? | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #(Y)es/(N)o: y | |
| # | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Please deploy a DNS TXT record under the name | |
| #_acme-challenge.example.com with the following value: | |
| # | |
| #bjv9f78gerghvr80n809nhgnhegfjugfr890hw0f89w | |
| # | |
| #Before continuing, verify the record is deployed. | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Press Enter to Continue | |
| # | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Please deploy a DNS TXT record under the name | |
| #_acme-challenge.example.com with the following value: | |
| # | |
| #jsbg78gg3bt78b794nhmj80000000000h8m238hj934 | |
| # | |
| #Before continuing, verify the record is deployed. | |
| #(This must be set up in addition to the previous challenges; do not remove, | |
| #replace, or undo the previous challenge tasks yet. Note that you might be | |
| #asked to create multiple distinct TXT records with the same name. This is | |
| #permitted by DNS standards.) | |
| # | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Press Enter to Continue | |
| #Waiting for verification... | |
| #Cleaning up challenges | |
| #Created an SSL vhost at /etc/apache2/sites-available/default-le-ssl.conf | |
| #Deploying Certificate to VirtualHost /etc/apache2/sites-available/default-le-ssl.conf | |
| #Enabling available site: /etc/apache2/sites-available/default-le-ssl.conf | |
| # | |
| #Which VirtualHosts would you like to install the wildcard certificate for? | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #1: File: /etc/apache2/sites-enabled/xxxxxxxxx.conf | |
| #Addresses: *:80 | |
| #Names: xxxxxxxxx.example.com | |
| #HTTPS: No | |
| # | |
| #2: File: /etc/apache2/sites-available/default-le-ssl.conf | |
| #Addresses: *:443 | |
| #Names: example.com, www.example.com | |
| #HTTPS: Yes | |
| #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #Select the appropriate numbers separated by commas and/or spaces, or leave input | |
| #blank to select all options shown (Enter 'c' to cancel): c | |
| #No vhost exists with servername or alias for domain *.example.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config. | |
| #No vhost selected | |
| # | |
| #IMPORTANT NOTES: | |
| # - Unable to install the certificate | |
| # - Congratulations! Your certificate and chain have been saved at: | |
| # /etc/letsencrypt/live/example.com/fullchain.pem | |
| # Your key file has been saved at: | |
| # /etc/letsencrypt/live/example.com/privkey.pem | |
| # Your cert will expire on 2019-11-11. To obtain a new or tweaked | |
| # version of this certificate in the future, simply run certbot again | |
| # with the "certonly" option. To non-interactively renew *all* of | |
| # your certificates, run "certbot renew" | |
| # - Some rewrite rules copied from | |
| # /etc/apache2/sites-enabled/default.conf were disabled in the vhost | |
| # for your HTTPS site located at | |
| # /etc/apache2/sites-available/default-le-ssl.conf because they have | |
| # the potential to create redirection loops. | |
| service apache2 stop | |
| sed -e 's/\s*\([\+0-9a-zA-Z]*\).*/\1/' << EOF | certbot -i apache -a manual -d example.com -d *.example.com --preferred-challenges dns ${TGTDEV} | |
| 2 | |
| y | |
| c | |
| EOF | |
| a2dissite default-le-ssl | |
| rm -rf /etc/apache2/sites-available/default-le-ssl.conf | |
| rm -rf /etc/letsencrypt/options-ssl-apache.conf | |
| echo " | |
| <IfVersion < 2.3 > | |
| NameVirtualHost *:80 | |
| NameVirtualHost *:443 | |
| </IfVersion> | |
| <VirtualHost *:80> | |
| ServerName example.com | |
| ServerAlias www.example.com | |
| RewriteEngine On | |
| # BEGIN: Enable HTTP to HTTPS redirection | |
| RewriteCond %{HTTPS} !=on | |
| RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1) | |
| RewriteCond %{REQUEST_URI} !^/\.well-known | |
| RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] | |
| # END: Enable HTTP to HTTPS redirection BEGIN: Enable www to | |
| # non-www redirection | |
| RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] | |
| RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1) | |
| RewriteCond %{REQUEST_URI} !^/\.well-known | |
| RewriteRule ^(.*)$ http://%1$1 [R=permanent,L] | |
| # END: Enable www to non-www redirection | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| RewriteEngine On | |
| # BEGIN: Enable www to non-www redirection | |
| RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] | |
| RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1) | |
| RewriteCond %{REQUEST_URI} !^/\.well-known | |
| RewriteRule ^(.*)$ https://%1$1 [R=permanent,L] | |
| # END: Enable www to non-www redirection | |
| Protocols h2 http:/1.1 | |
| DocumentRoot /var/www/html | |
| ErrorLog ${APACHE_LOG_DIR}/example.com-error.log | |
| CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined | |
| SSLEngine On | |
| SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem | |
| # Other Apache Configuration | |
| <Directory /var/www/html/> | |
| Options Indexes FollowSymLinks MultiViews | |
| AllowOverride All | |
| <IfVersion < 2.3 > | |
| Order allow,deny | |
| Allow from all | |
| </IfVersion> | |
| <IfVersion >= 2.3 > | |
| Require all granted | |
| </IfVersion> | |
| AddHandler mod_python .py | |
| PythonHandler mod_python.publisher | |
| PythonDebug On | |
| </Directory> | |
| </VirtualHost>" > /etc/apache2/sites-available/default.conf | |
| service apache2 restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment