a small wrapper around acme-tiny for managing certificates
acme-tiny can be found here: https://github.com/diafygi/acme-tiny
Reding acme-tiny's documentation will be helpful for understanding this script. I very strongly recommend you to read it before using this!
Also make sure you're using at least version 4.0.0 or newer of acme-tiny. Otherwise the intermediate certificate will be missing from the bundles.
- Clone this repository
- Install acme-tiny somewhere on your system.
- Make sure openssl is installed on your system.
- Create
config.zshusingconfig.zsh.exampleas template and set the variables to your liking.
See the Confuguration section for more information and don't forget to set the path to acme_tiny.py!
You can completely skip this, if you're fine with the defaults. - Create an account key if you haven't got one yet. (See create-account action below)
The first argument to bp-lets.zsh is the action it shall perform.
Possible actions are:
./bp-lets.zsh create-account
This command generates a new account key if it does not exist.
./bp-lets.zsh create-cert ssl.example.org
This command generates a new private key and a CSR locally identified by 'ssl.example.org'.
You can choose whatever identifier you want here, it is only used by this script.
It's usually a good idea to use the certificates main domain though.
The script will ask for the domains for which the certificate shall be valid.
Put each domain on a single line; an empty line will submit. The domains will be re-printed for checking.
./bp-lets.zsh renew ssl.example.org
This command will request a new certificate using acme-tiny and the CSR identified by ssl.example.org, effectively renewing the certificate, if it already exists.
Make sure http://<domain>/.well-known/acme-challenge/ is served correctly,
you've got an account key
and you've created the CSR preferably using create-cert before calling this.
See cron_letsencrypt_renew.sh for an example of automatic renewing.
After this you can point your services configuration to the certificate using the following path:
$xbasedir/<certname>/live/
It'll contain the following files:
* private.key the private key
* certificate.crt the certificate
* ca-bundle.crt the intermediate(s)
* full-bundle.crt the certificate + the intermediate(s)
* key-bundle.crt the private key + the certificate + the intermediates
An example apache configuration could look like this:
SSLEngine On
SSLCertificateFile /var/local/letse/ssl.example.org/live/certificate.crt
SSLCertificateKeyFile /var/local/letse/ssl.example.org/live/private.key
SSLCertificateChainFile /var/local/letse/ssl.example.org/live/ca-bundle.crt
Any executable file residing in the post-renew.d directory inside $xbasedir/<certname>/ or alternatively alongside bp-lets.zsh will be executed after
the new certificate and all bundle files were created.
All non-executable files are silently ignored.
The directory the new certificate resides in ($xbasedir/<certname>/live/) will be passed as the first argument.
Any output on stdout or stderr will "bleed through" and displayed, even by the cron script. Therefore you should only print error messages or other serious issues, as any output by cronjobs might be mailed to someone.
Configuration is done through setting the variables in config.zsh. To use the example config copy or rename config.zsh.example to config.zsh.
The variables and their effects are:
The Let's Encrypt account key.
When creating the key, this is the file it'll be written to.
When requesting certificates, the account key will be read from this file.
It is passed to acme-tiny via --account-key.
Default: $xbasedir/account.key
The size in bits of the account key. Only used when generating an account key.
Default: 4096
The path to the acme-tiny script.
Point this varibale to the location of the acme-tiny script on your machine.
For example: /usr/local/bin/acme-tiny.py
Default: ${HOME}/acme-tiny/acme_tiny.py
The path to the callenges directory.
This directory must be served at http://<domain>/.well-known/acme-challenge/.
It is passed to acme-tiny via --acme-dir.
Default: /srv/acme-challenges/
The path where a certificate's files are stored.
Default: $xbasedir/<certname>
certname is the identifier of the certificate.
The size in bit of the RSA private keys generated for new certificates.
Default: 4096
Symlink to the currently active version of the certificate.
Default: $basedir/live
Directory to place the new certificate in, $livedir will be symlinked to this directory if renewal is successful.
Default: $basedir/YYYY-MM-DD
(YYYY-MM-DD is the current date)
The location of the openssl.cnf used for adding SANs to the csr.
Default: /etc/ssl/openssl.cnf
List of services to be reloaded after successful renew. Will be passed to systemctl reload.
Basic base directory. Directory containing each certificates subdirectory. Also contains the file active to which all certificates created with create-cert are added.
Default: /var/local/letse