rgl/acmetool.txt

## acmetool.txt
See https://hlandau.github.io/acme/userguide

Install acmetool:

  add-apt-repository ppa:hlandau/rhea
  apt-get update
  apt-get install acmetool


See the default status and create the state directory:

  acmetool status
Settings:
  ACME_STATE_DIR: /var/lib/acme
  ACME_HOOKS_DIR: /usr/lib/acme/hooks
  Default directory URL:
  Preferred key type: rsa-2048
  Additional webroots:

Available accounts:


Configure nginx to proxy to acmetool:

  vim /etc/nginx/sites-available/ruilopes.com.conf
http {
  server {
    ...

    location /.well-known/acme-challenge/ {
      # (Change to port 4402 if using non-root mode.)
      proxy_pass http://127.0.0.1:402;
    }
  }
}

  systemctl restart nginx


Configure the responses, we'll use nginx to proxy to acmetool:
See https://github.com/hlandau/acme/blob/master/_doc/response-file.yaml
See https://github.com/hlandau/acme/search?utf8=%E2%9C%93&q=UniqueID

  cat<<'EOF'>/var/lib/acme/conf/responses
# This is a example of a response file, used with --response-file.
# It automatically answers prompts for unattended operation.
# grep for UniqueID in the source code for prompt names.
#  https://github.com/hlandau/acme/search?q=UniqueID
# Pass --response-file to all invocations, not just quickstart.
# If you don't pass --response-file, it will be looked for at "(state-dir)/conf/responses".
# You will typically want to use --response-file with --stdio or --batch.
# For dialogs not requiring a response, but merely acknowledgement, specify true.
# This file is YAML. Note that JSON is a subset of YAML.
"acme-enter-email": "rgl+letsencrypt@ruilopes.com"
"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf": true
#"acmetool-quickstart-choose-server": https://acme-staging.api.letsencrypt.org/directory
"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
"acmetool-quickstart-choose-method": proxy
# This is only used if "acmetool-quickstart-choose-method" is "webroot".
"acmetool-quickstart-webroot-path": "/var/www/foo/bar/.well-known/acme-challenge"
"acmetool-quickstart-complete": true
"acmetool-quickstart-install-cronjob": true
"acmetool-quickstart-install-haproxy-script": false
"acmetool-quickstart-install-redirector-systemd": false
"acmetool-quickstart-key-type": ecdsa
"acmetool-quickstart-rsa-key-size": 4096
"acmetool-quickstart-ecdsa-curve": nistp256
EOF


Setup acmetool and create letsencrypt account (somewhere inside /var/lib/acme/accounts/):

  acmetool --batch quickstart

NB this also creates /etc/cron.d/acmetool to run acmetool every day.

Setup to automatically reload nginx after a certificate is renewed:

  #sed -i -E 's,(SERVICES=).+,\1"$SERVICES nginx",' /etc/default/acme-reload
  sed -i -E 's,(SERVICES=).+,\1"nginx",' /etc/default/acme-reload


Get the certificate for my domains:

  acmetool --batch want ruilopes.com www.ruilopes.com
  acmetool --batch want statica.info


See the certificate details:

  openssl x509 -noout -text -in /var/lib/acme/live/ruilopes.com/cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:92:4f:fe:bc:98:89:51:08:b3:4d:19:09:11:45:10:bf:84
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jun 15 20:31:00 2016 GMT
            Not After : Sep 13 20:31:00 2016 GMT
        Subject: CN=ruilopes.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:...
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                49:...
            X509v3 Authority Key Identifier:
                keyid:A8:...

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:ruilopes.com, DNS:www.ruilopes.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         39:...


Configure nginx to use the SSL certificate:

  vim /etc/nginx/sites-available/ruilopes.com.conf
http {
  server {
    ...
    listen 443 default ssl;

    #ssl_certificate      /var/lib/acme/live/ruilopes.com/cert;
    ssl_certificate      /var/lib/acme/live/ruilopes.com/fullchain;
    ssl_certificate_key  /var/lib/acme/live/ruilopes.com/privkey;

    ...
  }
}


  vim /etc/nginx/sites-available/statica.info.conf
...


  systemctl restart nginx


See the final status:

  acmetool status
Settings:
  ACME_STATE_DIR: /var/lib/acme
  ACME_HOOKS_DIR: /usr/lib/acme/hooks
  Default directory URL: https://acme-v01.api.letsencrypt.org/directory
  Preferred key type: ecdsa-nistp256
  Additional webroots:

Available accounts:
  Account(acme-v01.api.letsencrypt.org%2fdirectory/mbh4rxhx6iu2lgs6irtbsu3kjh23okxhjbegdikwjdnhfgptsu3q)
    thumbprint: f4GJFCnKCI6ggTyEJtHl_LeXbt0poy5569DjuMn76G0

Target(ruilopes.com,www.ruilopes.com;https://acme-v01.api.letsencrypt.org/directory;0)
  best: Certificate(xgvbqm6cgijxkisqjo56ygw4gn5h5hwgc2rzpjtvtdvzlwwolmdq)
Target(statica.info;https://acme-v01.api.letsencrypt.org/directory;0)
  best: Certificate(lrglgvqe7wxfmlhjplrdfglos5aqglv56j4tqhwou34dwf7esl4q)


Do not forget to backup the state directory:

  /var/lib/acme


And also test your final setup with:

  https://www.ssllabs.com/ssltest/
	See https://hlandau.github.io/acme/userguide

	Install acmetool:

	add-apt-repository ppa:hlandau/rhea
	apt-get update
	apt-get install acmetool


	See the default status and create the state directory:

	acmetool status
	Settings:
	ACME_STATE_DIR: /var/lib/acme
	ACME_HOOKS_DIR: /usr/lib/acme/hooks
	Default directory URL:
	Preferred key type: rsa-2048
	Additional webroots:

	Available accounts:


	Configure nginx to proxy to acmetool:

	vim /etc/nginx/sites-available/ruilopes.com.conf
	http {
	server {
	...

	location /.well-known/acme-challenge/ {
	# (Change to port 4402 if using non-root mode.)
	proxy_pass http://127.0.0.1:402;
	}
	}
	}

	systemctl restart nginx


	Configure the responses, we'll use nginx to proxy to acmetool:
	See https://github.com/hlandau/acme/blob/master/_doc/response-file.yaml
	See https://github.com/hlandau/acme/search?utf8=%E2%9C%93&q=UniqueID

	cat<<'EOF'>/var/lib/acme/conf/responses
	# This is a example of a response file, used with --response-file.
	# It automatically answers prompts for unattended operation.
	# grep for UniqueID in the source code for prompt names.
	# https://github.com/hlandau/acme/search?q=UniqueID
	# Pass --response-file to all invocations, not just quickstart.
	# If you don't pass --response-file, it will be looked for at "(state-dir)/conf/responses".
	# You will typically want to use --response-file with --stdio or --batch.
	# For dialogs not requiring a response, but merely acknowledgement, specify true.
	# This file is YAML. Note that JSON is a subset of YAML.
	"acme-enter-email": "rgl+letsencrypt@ruilopes.com"
	"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf": true
	#"acmetool-quickstart-choose-server": https://acme-staging.api.letsencrypt.org/directory
	"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
	"acmetool-quickstart-choose-method": proxy
	# This is only used if "acmetool-quickstart-choose-method" is "webroot".
	"acmetool-quickstart-webroot-path": "/var/www/foo/bar/.well-known/acme-challenge"
	"acmetool-quickstart-complete": true
	"acmetool-quickstart-install-cronjob": true
	"acmetool-quickstart-install-haproxy-script": false
	"acmetool-quickstart-install-redirector-systemd": false
	"acmetool-quickstart-key-type": ecdsa
	"acmetool-quickstart-rsa-key-size": 4096
	"acmetool-quickstart-ecdsa-curve": nistp256
	EOF


	Setup acmetool and create letsencrypt account (somewhere inside /var/lib/acme/accounts/):

	acmetool --batch quickstart

	NB this also creates /etc/cron.d/acmetool to run acmetool every day.

	Setup to automatically reload nginx after a certificate is renewed:

	#sed -i -E 's,(SERVICES=).+,\1"$SERVICES nginx",' /etc/default/acme-reload
	sed -i -E 's,(SERVICES=).+,\1"nginx",' /etc/default/acme-reload


	Get the certificate for my domains:

	acmetool --batch want ruilopes.com www.ruilopes.com
	acmetool --batch want statica.info


	See the certificate details:

	openssl x509 -noout -text -in /var/lib/acme/live/ruilopes.com/cert
	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	03:92:4f:fe:bc:98:89:51:08:b3:4d:19:09:11:45:10:bf:84
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
	Validity
	Not Before: Jun 15 20:31:00 2016 GMT
	Not After : Sep 13 20:31:00 2016 GMT
	Subject: CN=ruilopes.com
	Subject Public Key Info:
	Public Key Algorithm: id-ecPublicKey
	Public-Key: (256 bit)
	pub:
	04:...
	ASN1 OID: prime256v1
	X509v3 extensions:
	X509v3 Key Usage: critical
	Digital Signature
	X509v3 Extended Key Usage:
	TLS Web Server Authentication, TLS Web Client Authentication
	X509v3 Basic Constraints: critical
	CA:FALSE
	X509v3 Subject Key Identifier:
	49:...
	X509v3 Authority Key Identifier:
	keyid:A8:...

	Authority Information Access:
	OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
	CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

	X509v3 Subject Alternative Name:
	DNS:ruilopes.com, DNS:www.ruilopes.com
	X509v3 Certificate Policies:
	Policy: 2.23.140.1.2.1
	Policy: 1.3.6.1.4.1.44947.1.1.1
	CPS: http://cps.letsencrypt.org
	User Notice:
	Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

	Signature Algorithm: sha256WithRSAEncryption
	39:...


	Configure nginx to use the SSL certificate:

	vim /etc/nginx/sites-available/ruilopes.com.conf
	http {
	server {
	...
	listen 443 default ssl;

	#ssl_certificate /var/lib/acme/live/ruilopes.com/cert;
	ssl_certificate /var/lib/acme/live/ruilopes.com/fullchain;
	ssl_certificate_key /var/lib/acme/live/ruilopes.com/privkey;

	...
	}
	}


	vim /etc/nginx/sites-available/statica.info.conf
	...


	systemctl restart nginx


	See the final status:

	acmetool status
	Settings:
	ACME_STATE_DIR: /var/lib/acme
	ACME_HOOKS_DIR: /usr/lib/acme/hooks
	Default directory URL: https://acme-v01.api.letsencrypt.org/directory
	Preferred key type: ecdsa-nistp256
	Additional webroots:

	Available accounts:
	Account(acme-v01.api.letsencrypt.org%2fdirectory/mbh4rxhx6iu2lgs6irtbsu3kjh23okxhjbegdikwjdnhfgptsu3q)
	thumbprint: f4GJFCnKCI6ggTyEJtHl_LeXbt0poy5569DjuMn76G0

	Target(ruilopes.com,www.ruilopes.com;https://acme-v01.api.letsencrypt.org/directory;0)
	best: Certificate(xgvbqm6cgijxkisqjo56ygw4gn5h5hwgc2rzpjtvtdvzlwwolmdq)
	Target(statica.info;https://acme-v01.api.letsencrypt.org/directory;0)
	best: Certificate(lrglgvqe7wxfmlhjplrdfglos5aqglv56j4tqhwou34dwf7esl4q)


	Do not forget to backup the state directory:

	/var/lib/acme


	And also test your final setup with:

	https://www.ssllabs.com/ssltest/