Place lego.service and lego.service in /etc/systemd/system.
Place config in /var/lib/lego and nginx-example.com.sh in /var/lib/lego/scripts.
You should modify config and nginx-example.com.sh.
Finally execute sudo systemctl enable lego.timer.
Lego's files are stored in /var/lib/lego. You need to create this directory and use lego ... run to create acme account.
I'm using DNS challenge and didn't test HTTP challenge. Please tell me if it works.
| SERVER="https://acme-v02.api.letsencrypt.org/directory" | |
| EMAIL="email@example.com" | |
| DOMAIN="example.com" | |
| HOOK="/var/lib/lego/scripts/nginx-example.com.sh" | |
| ARGS="--dns ns1" | |
| NS1_API_KEY="your api key" |
| [Unit] | |
| Description=Lets Encrypt client and ACME library written in Go | |
| [Service] | |
| EnvironmentFile=/var/lib/lego/config | |
| WorkingDirectory=/var/lib/lego | |
| ExecStart=/usr/local/bin/lego --path . -s ${SERVER} -m ${EMAIL} -d ${DOMAIN} $ARGS renew --renew-hook ${HOOK} | |
| Type=oneshot |
| [Unit] | |
| Description=Lets Encrypt client and ACME library written in Go | |
| [Timer] | |
| OnCalendar=daily | |
| RandomizedDelaySec=30m | |
| Persistent=true | |
| [Install] | |
| WantedBy=timers.target |
| #!/bin/sh | |
| CERT_PATH=/etc/nginx/ssl/example.com.crt | |
| CERT_KEY_PATH=/etc/nginx/ssl/example.com.key | |
| cat "${PWD}/${LEGO_CERT_PATH}" > "${CERT_PATH}" | |
| cat "${PWD}/${LEGO_CERT_KEY_PATH}" > "${CERT_KEY_PATH}" | |
| systemctl reload nginx.service |
Thank you for the code, it helped me a lot in configuring my setup.
FYI: It works fine with http.webroot.
Additionally, I run the "lego" service from a different user (by default the systemd runs from the root, which is not safe).