https://github.com/diafygi/acme-tiny
make sure permissions are such that deploy user does not have access to domain.key
https://github.com/diafygi/acme-tiny
make sure permissions are such that deploy user does not have access to domain.key
as deploy user, crontab -e, and add the line | |
0 0 1 * * /opt/renew_ssl_cert.sh 2>> /var/log/acme_tiny.log |
# add alias so /.well-known/ directory resolves for any vhost | |
Alias /.well-known/ "/var/www/.well-known/" | |
<Directory "/var/www/.well-known"> | |
AllowOverride None | |
Options IncludesNoExec | |
Order allow,deny | |
Allow from all | |
</Directory> | |
# point SSL conf to ssl keys: | |
<VirtualHost *:443> | |
# ... | |
SSLEngine On | |
SSLCertificateFile /etc/letsencrypt/chained.pem | |
SSLCertificateKeyFile /etc/letsencrypt/domain.key | |
</VirtualHost> |
Make a copy of openssl.cnf to add the additional domains the cert should cover | |
cp /etc/pki/tls/openssl.cnf to /etc/letsencrypt/openssl.cnf | |
edit openssl.cnf | |
req_extensions = v3_req | |
[ v3_req ] | |
# ... | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1=www.domain.com | |
DNS.2=mail.domain.com | |
DNS.3=foobar.com | |
DNS.4=www.foobar.com | |
edit /etc/postfix/main.cf to point to new SSL certs: | |
smtpd_tls_cert_file = /etc/letsencrypt/chained.pem | |
smtpd_tls_key_file = /etc/letsencrypt/domain.key |
# acme_tiny requires 2.7 | |
wget https://centos5.iuscommunity.org/ius-release.rpm | |
sudo rpm -Uvh ius-release*.rpm | |
yum -y install python27 python27-devel python27-pip python27-setuptools python27-virtualenv --enablerepo=ius | |
git clone https://github.com/diafygi/acme-tiny.git /opt/acme-tiny | |
sed -i "s|--python python2|--python python2.7|" /opt/acme-tiny/acme_tiny.py | |
mkdir -p /etc/letsencrypt/ | |
openssl genrsa 4096 > /etc/letsencrypt/account.key | |
openssl genrsa 4096 > /etc/letsencrypt/domain.key | |
chmod 600 /etc/letsencrypt/domain.key | |
# generate cert request: | |
openssl req -new -sha256 -key /etc/letsencrypt/domain.key -subj "/CN=$DOMAIN" -reqexts v3_req -config /etc/letsencrypt/openssl.cnf > /etc/letsencrypt/domain.csr | |
mkdir -p /var/www/.well-known/acme-challenge/ | |
chown -R deploy /var/www/.well-known/ |
#!/usr/bin/sh | |
DOMAIN=mydomain.com | |
KEY=/etc/letsencrypt/account.key | |
CSR=/etc/letsencrypt/domain.csr | |
DIR=/var/www/.well-known/acme-challenge/ | |
NEWCERT=/etc/letsencrypt/signed.crt | |
INTERMEDIATE=/etc/letsencrypt/intermediate.pem | |
# generate new cert | |
# retry up to 10 times | |
maxtries=10; tries=0 | |
until [[ $tries -ge $maxtries ]]; do | |
python2.7 /opt/acme-tiny/acme_tiny.py \ | |
--account-key $KEY \ | |
--csr $CSR \ | |
--acme-dir $DIR > $NEWCERT && break | |
((tries++)) | |
sleep 60 | |
done | |
if [[ $tries -eq $tries ]]; then | |
echo "Failure to update $domain" | |
exit 1 | |
fi | |
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > $INTERMEDIATE | |
# create chained cert file | |
cat $NEWCERT $INTERMEDIATE > /etc/letsencrypt/chained.pem | |
# restart apache and postfix | |
sudo service postfix reload | |
sudo service httpd reload |
# add ability for deploy user to reload services without password. | |
# This will make sure that user can restart the services after SSL cert is renewed. | |
deploy ALL=NOPASSWD: SERVICES |