Skip to content

Instantly share code, notes, and snippets.

@thynson

thynson/Let's-encrypt-with-systemd.md

Last active April 18, 2017 03:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thynson/e82d42f8d469e93f3f8439c2c5195087 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thynson/e82d42f8d469e93f3f8439c2c5195087 to your computer and use it in GitHub Desktop.
Download ZIP
Let's Encrypt Certificate Renew Script Set
Raw
example.com.cnf
# This is an example for OpenSSL Certificate Request Configuration
[req]
req_extensions=v3_req
distinguished_name=req_distinguished_name
prompt=no
[req_distinguished_name]
C=XX
O=Example
CN=example.com
[v3_req]
subjectAltName = @alt_names
[alt_names] =
DNS.1 = example.com
DNS.2 = www.example.com
# ...
Raw
Let's-encrypt-with-systemd.md

This script set help your renew your certificate from Let's Encrypt.

How to use

Suppose you have a domain example.com

  • Generate a private key

    mkdir -p /etc/letsencrypt
openssl genrsa 2048 > /etc/letsencrypt/example.com.key

  • Install script set

    • Copy renew in this gist to /etc/letsencrypt/
    • Copy [email protected] and letsencrypt.service in this gist to /etc/systemd/system

  • Write an OpenSSL certificate request configuration

    See example.com.cnf as example.

  • Configure your web server

    Let's encrypt will access http://example.com/.well-known/xxxxxxxx to do domain verification.

    Configure your web server to make sure such request will response a file of /var/www/letsencrypt/webroot/xxxxxxxx, see nginx.conf of this gist as an example.

  • Enable the systemd timer

    Execute the following command to get your certificate

    systemctl start [email protected]

    Execute the following command to let systemd run the above command once a month.

    systemctl enable [email protected]

    Your certificates will be put at /var/www/certificates/example.com/, which is a link to /var/www/archieves/example.com-YYYY-MM-dd, all certificates are archieved.

    Once your certificates got renewed, the symbol link /var/www/certificates/example.com/ will be update

Raw
[email protected]
[Unit]
Description=Let's encrypt %i
[Service]
Type=simple
ExecStart=/etc/letsencrypt/renew %i
StandardOutput=journal
StandardError=journal
Raw
[email protected]
# This is a systemd timer unit template
# Install this file to /etc/systemd/system and enable this timer via
#
# systemctl enale letsencrypt@<domain.name>.timer
#
[Unit]
Description=Schedule for Let's enscrypt %i
[Timer]
OnCalendar=*-*-03 00:00:00 UTC
[Install]
WantedBy=network.target
Raw
nginx.conf
server {
listen 80 default_server;
server_name example.com;
location /.well-known/ {
root /var/www/letsencrypt/webroot;
try_files $uri @redirect;
}
location / {
return 301 https://$host$request_uri;
}
location @redirect {
return 301 https://$host$request_uri;
}
}
Raw
renew
#!/bin/bash
#
# Install this file to /etc/letsencrypt
# Renew a domain via /etc/letsencrypt/renew <domain.name>
# - You need to provide a private key file at /etc/letsencrypt/<domain.name>.key
# - You need to privide a OpenSSL certificate request config
# at /etc/letsencrypt/<domain.name>.cnf
#
domain=$1
date=`date --iso-8601`
dst=/var/www/archieves/$domain-$date
key=/etc/letsencrypt/$domain.key
cnf=/etc/letsencrypt/$domain.cnf
[[ -d $dst ]] && exit
mkdir -p $dst || exit
openssl req -config $cnf -new -key $key -out $dst/csr.pem
ln -snf $key $dst/key.pem
letsencrypt --csr $dst/csr.pem \
--cert-path $dst/crt.pem \
--chain-path $dst/crtchain.pem \
--fullchain-path $dst/crtfullchain.pem \
--webroot -w /var/www/letsencrypt/webroot \
certonly
ln -sfT $dst /var/www/certificates/$domain
# If you're using other webserver, replace the following line with as you need
nginx -s reload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment