Author Topic: How to LetsEncrypt for fun and profit  (Read 492 times)

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
How to LetsEncrypt for fun and profit
« on: September 14, 2018, 08:09:41 am »
UPDATE 2018-11-12 - remove requirement to restart Apache - doesn't work in that form and isn't needed anyway

Hi there

Not sure if there's a post about this already, but I've come up with a method to automate the creation and installation of Let's Encrypt certificates which I would like to share with you.

Step 1: Install the letsencrypt package, and its prerequisities:

Code: [Select]
admin@zentyla:~$ sudo apt-get install letsencrypt
Step 2: Find where the certificates currently live:

Code: [Select]
admin@zentyla:~$ grep "^\s*SSLCertificate" /etc/apache2/sites-enabled/default-ssl.conf
Step 3: Assuming the default location, create the script:

Code: [Select]
admin@zentyla:~$ cat > update_certs.sh <<EOF
#!/bin/sh

LIVECERT=/etc/letsencrypt/live/first.domain.com/fullchain.pem
SSLCERT=/etc/ssl/certs/ssl-cert-snakeoil.pem
LIVEKEY=/etc/letsencrypt/live/first.domain.com/privkey.pem
SSLKEY=/etc/ssl/private/ssl-cert-snakeoil.key

letsencrypt certonly --webroot -w /var/www/html/ -d first.domain.com -d second.domain.com -d third.domain.com  --keep
if [ $LIVECERT -nt $SSLCERT ]
then
        cp $LIVECERT $SSLCERT
        cp $LIVEKEY $SSLKEY
        # This is both unnecessary and doesn't work anyway
        #service apache2 restart
fi

EOF
admin@zentyla:~$ chmod +x update_certs.sh

Step 3: Open root's crontab - if this is your first time it will ask you for a choice of editor.  Nano is the simplest.

Code: [Select]
admin@zentyla:~$ sudo crontab -e
Step 4: Add the following line to the open editor - replace admin with your admin username - this will set it to run on the 12th of each month at midnight (change the 12 to any number between 1 and 28 to change the day it runs - don't choose 29 to 31 since they don't always occur):

Code: [Select]
0 0 12 * * /home/admin/update_certs.sh
Step 5: Ensure port 80 on your Zentyal server can be reached from the outside (I'll leave that as an exercise for the reader) and run the script manually:

Code: [Select]
admin@zentyla:~$ sudo ./update_certs.sh
And, so long as you got a successful outcome of the letsencrypt program, you should be set.
« Last Edit: November 12, 2018, 12:08:37 am by efarayenkay »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-2
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #1 on: November 07, 2018, 11:10:07 pm »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

efarayenkay

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #2 on: November 12, 2018, 12:10:54 am »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

If I could work out how to do that, I would write a module for this.  Annoyingly, the development documentation is extremely fragmented and out of date.