Skip to content

Instantly share code, notes, and snippets.

@IvanChepurnyi

IvanChepurnyi/Usage.md

Last active July 15, 2017 05:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save IvanChepurnyi/d27b1a23d6cf6502789117655440090f to your computer and use it in GitHub Desktop.
Save IvanChepurnyi/d27b1a23d6cf6502789117655440090f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cert-renew.sh
#!/bin/bash
ACMESERVER=$1
OUTPATH=$2
DOMAIN=$3
ACMEBIN=$HOME/bin/acme
ACMEDIR=$HOME/.acme
if [ ! -d $ACMEDIR ]
then
mkdir $ACMEDIR
fi
if [ ! -f "$ACMEDIR/config.yml" ]
then
echo "Missing configuration file for ssl certificate generation"
exit 1
fi
APIHOSTNAME=$ACMESERVER
if [[ $ACMESERVER = "production" ]]
then
ACMESERVER="letsencrypt"
APIHOSTNAME="acme-v01.api.letsencrypt.org"
elif [[ $ACMESERVER = "staging" ]]
then
ACMESERVER="letsencrypt:staging"
APIHOSTNAME="acme-staging.api.letsencrypt.org"
fi
CERTDIRECTORY=$ACMEDIR/certs/${APIHOSTNAME}.directory/$DOMAIN
$ACMEBIN auto -c $ACMEDIR/config.yml -s $ACMESERVER --storage $ACMEDIR
code=$?
if [[ $code = 5 ]]
then
cp $CERTDIRECTORY/fullchain.pem $OUTPATH/$DOMAIN-fullchain.pem
cp $CERTDIRECTORY/key.pem $OUTPATH/$DOMAIN-key.pem
fi
Raw
Usage.md

Usage is quite simple, you need to create in your $HOME a directory called .acme and place there such a config.yml file in it with the following options:

# E-mail to use for the setup.
# This e-mail will receive expiration notices from Let's Encrypt.
email: YOUR@EMAIL.COM

# List of certificates to issue.
certificates:
    # For each certificate, there are a few options.
    #
    # Required: paths
    # Optional: bits, user
    #
    # paths: Map of document roots to domains.
    #        /tmp is used here for domains without a real document root.
    #        The client will place a file into $path/.well-known/acme-challenge/
    #        to verify ownership to the CA
    #
    # bits:  Number of bits for the domain private key
    #
    # user:  User running the web server. Challenge files are world readable,
    #        but some servers might require to be owner of files they serve.
    #
    - bits: 4096
      paths:
        /your/document/root/: your.domain.name.com
    # or specify multiple domain names like this:
    # paths: 
    # /your/document/root/: [your.domain.name.com, your.domain.name2.com]

Then setup a cron job to run this command once a day: cert-renew.sh production $HOME/nginx your.domain.name.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment