Skip to content

Instantly share code, notes, and snippets.

@waja

waja/README.md

Last active April 30, 2021 14:27
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save waja/8df78afb09691e4f383d818685f48885 to your computer and use it in GitHub Desktop.
Save waja/8df78afb09691e4f383d818685f48885 to your computer and use it in GitHub Desktop.
Download ZIP
deploy dehydrated
Raw
README.md

Deploying dehydrated for apache2 on Debian Jessie:

wget https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/deploy_dehydrated.sh \
 -O /tmp/deploy_dehydrated.sh && \
 bash /tmp/deploy_dehydrated.sh <registration email>

Now you need to create /etc/dehydrated/domains.txt like documented.

Running the cronjob for initial request of certs:

/etc/cron.daily/dehydrated_autorenew

If you are hit by Provided agreement URL ... does not match current agreement URL ... you need to use at least dehydrated 0.4.0, for example from stretch-backports. Use:

/usr/bin/dehydrated -c --accept-terms && /etc/cron.daily/dehydrated_autorenew

Linking certs and keys into usual places:

/usr/local/sbin/dehydrated_create_links

For distributed setups you might want to have a look into Using redirects or Use and automate letsencrypt certificates (ACME) in an high-availability environment.

Raw
deploy_dehydrated.sh
#!/bin/bash
CRON="/etc/cron.daily/dehydrated_autorenew"
CONFIGURL="https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/local.sh"
CONFIGNAME="$(basename ${CONFIGURL})"
CONFIGPATH="/etc/dehydrated/conf.d/"
LINKSCRIPT="/usr/local/sbin/dehydrated_create_links"
HOOKNAME="hook.sh"
HOOKPATH="/etc/dehydrated/"
if [ "$(lsb_release -cs)" = "jessie" ]; then
BPO="-t $(lsb_release -cs)-backports"
fi
PACKAGES="dehydrated dehydrated-apache2"
apt-get install -y ${BPO} ${PACKAGES}
if [ ! -x ${CRON} ]; then
cat > ${CRON} <<EOF
#!/bin/bash
test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c -g | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0
EOF
chmod +x ${CRON}
fi
cat > ${LINKSCRIPT} << EOF
#!/bin/bash
for CERT in \$(awk {'print \$1'} /etc/dehydrated/domains.txt); do [ -f /var/lib/dehydrated/certs/\${CERT}/privkey.pem ] && ! [ -L /etc/ssl/private/\${CERT}.key ] && ln -s /var/lib/dehydrated/certs/\${CERT}/privkey.pem /etc/ssl/private/\${CERT}.key; [ -f /var/lib/dehydrated/certs/\${CERT}/fullchain.pem ] && ! [ -L /etc/ssl/certs/\${CERT}.pem ] && ln -s /var/lib/dehydrated/certs/\${CERT}/fullchain.pem /etc/ssl/certs/\${CERT}.pem;done
EOF
chmod +x ${LINKSCRIPT}
# Fix #941414 (for now)
sed -i "s/grep Replay-Nonce:/grep -i ^Replay-Nonce:/" /usr/bin/dehydrated
[ -f ${CONFIGPATH}/${CONFIGNAME} ] || wget ${CONFIGURL} -O ${CONFIGPATH}/${CONFIGNAME}
sed -i "s/^CONTACT_EMAIL=*/CONTACT_EMAIL=${1}/" ${CONFIGPATH}/${CONFIGNAME}
[ -f ${HOOKPATH}/${HOOKNAME} ] || printf '#!/bin/sh\n\n# See also https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh\n\n[ "$1" != "deploy_cert" ] || /usr/sbin/service apache2 restart' > ${HOOKPATH}/${HOOKNAME} && chmod +x ${HOOKPATH}/${HOOKNAME}
Raw
lighttpd_dehydrated.conf
alias.url += (
"/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/",
)
Raw
local.sh
# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA="https://acme-v01.api.letsencrypt.org/directory"
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
HOOK='/etc/dehydrated/hook.sh'
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
HOOK_CHAIN="yes"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=rsa
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=
Raw
migrate2dehydrated.sh
# install (transition) package
aptitude -t jessie-backports install letsencrypt.sh letsencrypt.sh-apache2 && \
# migrate config over to dehydrated
sed -i s/letsencrypt\.sh/dehydrated/g /etc/cron.daily/letsencrypt_autorenew && mv /etc/cron.daily/letsencrypt_autorenew /etc/cron.daily/dehydrated_autorenew && \
mv /var/lib/letsencrypt.sh/certs/ /var/lib/letsencrypt.sh/accounts/ /var/lib/dehydrated/ && \
mv /etc/letsencrypt.sh/conf.d/* /etc/dehydrated/conf.d/ && \
mv /etc/letsencrypt.sh/domains.txt /etc/letsencrypt.sh/hook.sh /etc/dehydrated/ && \
sed -i s/letsencrypt\.sh/dehydrated/g /etc/dehydrated/conf.d/*
# migrate certificate links to dehydrated
for CERT in $(awk {'print $1'} /etc/dehydrated/domains.txt); do \
test -L /etc/ssl/certs/$CERT.pem && rm /etc/ssl/certs/$CERT.pem; \
test -L /etc/ssl/private/$CERT.key && rm /etc/ssl/private/$CERT.key; \
test -e /var/lib/dehydrated/certs/${CERT}/privkey.pem && \
ln -s /var/lib/dehydrated/certs/${CERT}/privkey.pem /etc/ssl/private/${CERT}.key; \
test -e /var/lib/dehydrated/certs/${CERT}/fullchain.pem && \
ln -s /var/lib/dehydrated/certs/${CERT}/fullchain.pem /etc/ssl/certs/${CERT}.pem; \
done
# remove obsolete apache configuration and reload apache2
rm /etc/apache2/conf-available/letsencrypt.sh.conf /etc/apache2/conf-enabled/letsencrypt.sh.conf && /etc/init.d/apache2 reload
Raw
update_cron.sh
#!/bin/bash
CRON="/etc/cron.daily/dehydrated_autorenew"; rm ${CRON}; \
if [ ! -x ${CRON} ]; then
cat > ${CRON} <<EOF
#!/bin/bash
test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0
EOF
chmod +x ${CRON}; fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment