Skip to content

Instantly share code, notes, and snippets.

@bmpandrade

bmpandrade/acme.md

Last active November 15, 2019 13:13
Show Gist options
  • Save bmpandrade/94a0a8e890fcd40166b0edbabfa49abe to your computer and use it in GitHub Desktop.
Save bmpandrade/94a0a8e890fcd40166b0edbabfa49abe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
acme.md

Using ACME script

Using ACME script to handle let's encrypt certs is a life savior. It automates the creation, verification on DigitalOcean and automatic renewals based on a cronjob.

Download & Install

cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install --log \
    --accountemail <admin mail> \
    --home /opt/acme \
    --config-home /opt/acme/data  \
    --cert-home  /opt/acme/certs

Export DigitalOcena credentials to allow dns verification

You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/

export DO_API_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Issue a certificate

acme.sh --issue --dns dns_dgon -d <domain_to_generate_cert_to> (-d *.<domain_to_generate_cert_to>)

Configure and install certs to Nginx use

Warn: Do not use the .cer directly in Nginx.

mkdir -p /etc/nginx/acme.sh/<domain_to_generate_cert_to>

acme.sh --install-cert -d <domain_to_generate_cert_to> \
  --cert-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/cert.pem \
  --key-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/key.pem \
  --fullchain-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/fullchain.pem \
  --reloadcmd "systemctl reload nginx.service"

Edit Nginx conf to add SSL

Edit /etc/nginx/conf.d/site_name.conf and inside the server block for the ssl entry, add:

# SSL
ssl on;
 
ssl_certificate         /etc/nginx/acme.sh/<domain_to_generate_cert_to>/fullchain.pem
ssl_certificate_key     /etc/nginx/acme.sh/<domain_to_generate_cert_to>/key.pem
ssl_trusted_certificate /etc/nginx/acme.sh/<domain_to_generate_cert_to>/cert.pem

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

Add services reload when cert is successfully renewed

Edit /opt/acme/certs/<domain>/<domain>.conf and update the field Le_RenewHook.

For example, if you want to reload Nginx when the cert is renewed:

vim /opt/acme/certs/<domain>/<domain>.conf
...
Le_RenewHook='systemctl reload nginx.service'
...

When the cron renewal job executes, it should output something like the following:

...
[Thu May 10 11:41:38 UTC 2018] Run renew hook:'systemctl reload nginx.service'
[Thu May 10 11:41:38 UTC 2018] ===End cron===
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment