Last active
May 28, 2016 20:17
-
-
Save amotl/99a113bdad8e1c50372a2a06364efca8 to your computer and use it in GitHub Desktop.
letsencrypt-autorenew is a blueprint for convenient automatic certificate renewal and service reloading
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# letsencrypt-autorenew is a best practice blueprint for | |
# convenient automatic certificate renewal and service reloading. | |
# | |
# Copyright (C) 2016 Andreas Motl, Elmyra UG | |
# | |
# This program is free software; you can redistribute it and/or modify | |
# it under the terms of the GNU General Public License as published by | |
# the Free Software Foundation; either version 3 of the License, or | |
# (at your option) any later version. | |
# | |
# This program is distributed in the hope that it will be useful, | |
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
# GNU General Public License for more details. | |
# | |
# You should have received a copy of the GNU General Public License | |
# along with this program; if not, write to the Free Software Foundation, | |
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
# Setup:: | |
# | |
# # Prepare | |
# export LE_AUTORENEW=/etc/letsencrypt/bin/letsencrypt-autorenew | |
# mkdir -p `dirname $LE_AUTORENEW` | |
# | |
# # Download | |
# wget -O $LE_AUTORENEW https://gist.githubusercontent.com/amotl/99a113bdad8e1c50372a2a06364efca8/raw/letsencrypt-autorenew | |
# chmod +x $LE_AUTORENEW | |
# | |
# # Adapt to your environment | |
# $EDITOR $LE_AUTORENEW | |
# | |
# # Run each month to renew due certificates | |
# ln -s $LE_AUTORENEW /etc/cron.monthly/ | |
# | |
# | |
# Description: | |
# This automates the minimum required steps for fully unattended Let's Encrypt | |
# certificate renewal for a web server hosting multiple http virtual hosts from | |
# different webroot directories. | |
# | |
# Prior art: | |
# - https://community.letsencrypt.org/t/multiple-domains-webroot-paths-using-webroot-plugin/7982 | |
# | |
# Todo: | |
# - Reloading of other daemons (Sendmail, Dovecot, Cyrus, OpenLDAP) | |
# - Extract the real information (multiple webroot-path to domain maps) into a json file or | |
# design a commandline-parameter based interface in order to make it act properly in a | |
# DevOps environment driven by Ansible, Salt or Puppet. | |
# Emit log status output from letsencrypt client about the operations performed. | |
show_log() { echo ----------; cat /var/log/letsencrypt/letsencrypt.log | egrep '(Arguments|INFO:)'; } | |
# Reload helpers for services on systemd-based systems, also display a reasonable status output of the operation. | |
reload_service() { echo ==========; systemctl reload $1; journalctl --since -5s --unit $1; } | |
reload_nginx() { reload_service nginx; } | |
reload_apache() { reload_service apache2; } | |
# Issue certificates for a regular website or root domain | |
letsencrypt certonly \ | |
--webroot-path /srv/www/organizations/example-inc/www.example.com/htdocs/ \ | |
--domains example.com,www.example.com \ | |
$@ | |
show_log | |
# Issue certificates for additional subdomains | |
letsencrypt certonly \ | |
--webroot-path /srv/www/organizations/example-inc/workbench.example.com/htdocs/ \ | |
--domains workbench.example.com,docs.example.com,tickets.example.com,meta.example.com \ | |
$@ | |
show_log | |
# Reload web server to make it pick up the new certificates | |
#reload_nginx | |
#reload_apache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Let's Encrypt configuration file for unattended operation, | |
# see also "letsencrypt-autorenew". | |
# | |
# letsencrypt-autorenew is a best practice blueprint for | |
# convenient automatic certificate renewal and service reloading. | |
# | |
# Setup:: | |
# | |
# wget -O /etc/letsencrypt/cli.ini https://gist.githubusercontent.com/amotl/99a113bdad8e1c50372a2a06364efca8/raw/letsencrypt-cli.ini | |
# | |
# Sources: | |
# - https://community.letsencrypt.org/t/multiple-domains-webroot-paths-using-webroot-plugin/7982 | |
# Please edit to be notified of certificate expirations | |
email = operations@example.com | |
# Standard settings | |
server = https://acme-v01.api.letsencrypt.org/directory | |
rsa-key-size = 4096 | |
agree-tos = True | |
text = True | |
quiet = True | |
# Renew certificates only if required. | |
keep-until-expiring = True | |
# Renew certificates each and every time. Know what you're doing, the rate limits currently employed are: | |
# - Rate limit on registrations per IP is currently 10 per 3 hours | |
# - Rate limit on certificates per Domain is currently 5 per 7 days | |
# -- https://community.letsencrypt.org/t/public-beta-rate-limits/4772/3 | |
#renew-by-default = True |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey, thanks for sharing the script. It would be nice, if gitlab functionality would be added. Since gitlab omnibus comes with a boulded nginx it needs some extra configuration. see: http://stackoverflow.com/a/34539809 .
So the autorenew would only need a helper to do $ gitlab-ctl restart.
greetings eins