phutidus · December 28, 2023 08:29
diff --git a/setup-letsencrypt.sh b/setup-letsencrypt.sh
 #!/bin/bash
 # script original path: /config/scripts/setup-letsencrypt.sh

 # Setup Let's Encrypt for GUI (works for me)
 # tested on EdgeRouter X (v1.9.1), logged in as root
 # only need to be run once after reset or firmware upgrade

 # I chose acme.sh (https://github.com/Neilpang/acme.sh) to handle the certificate issuing process
 # using DNS-01 challenge to verify my domain
 DOMAIN=a.domain.under.your.control
 EMAIL=your@own.email

 ACME_DIR=/config/.acme.sh
 KEY_PATH=/tmp/gui.letsencrypt.key
 FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem
 RELOAD_CMD=/config/scripts/reload-gui-letsencrypt.sh

 if [[ $EUID -ne 0 ]]; then
  echo "Must be root to run the script"
  exit 1
 fi

 # forget about setting acme.sh dir during installation, it just not work for me
 # instead I made a symbolic link to pernament storage
 mkdir -p $ACME_DIR
 ln -s $ACME_DIR /root/.acme.sh
 curl https://get.acme.sh | sh

 # If your DNS provider is supported by acme.sh, DNS API integration can simply verification proces
 # I use GoDaddy for example
 # Get a production API key on https://developer.godaddy.com/keys
 export GD_Key="your GoDaddy API key"
 export GD_Secret="secret of API key"

 $ACME_DIR/acme.sh --issue --dns dns_gd -d $DOMAIN \
 --accountemail $EMAIL \
 --keypath $KEY_PATH \
 --fullchainpath $FULLCHAIN_PATH \
 --reloadcmd $RELOAD_CMD
diff --git a/reload-gui-letsencrypt.sh b/reload-gui-letsencrypt.sh
 #!/bin/bash
 # script original path: /config/scripts/reload-gui-letsencrypt.sh

 # Load new certificate after renewal
 # This script is to be called by acme.sh

 KEY_PATH=/tmp/gui.letsencrypt.key
 FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem

 mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak
 cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem

 # restart lighttpd
 ps -e | grep lighttpd | awk '{print $1;}' | xargs kill
 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

 rm $KEY_PATH $FULLCHAIN_PATH
diff --git a/restore-acme.sh-functionality.sh b/restore-acme.sh-functionality.sh
 #!/bin/bash
 # script original path: /config/scripts/post-config.d/restore-acme.sh-functionality.sh

 # Restore symbolic link to acme.sh install dir, cronjob, Let's Encrypt certificate after firmware upgrade

 # adapted from Ubiquiti Networks Support and Help Center:
 # https://help.ubnt.com/hc/en-us/articles/204961814-EdgeRouter-Are-my-changes-lost-when-I-upgrade-the-firmware-image-

 doneit='/var/lib/acme_sh_restored'

 if [ -e $doneit ]; then
  exit 0;
 fi

 DOMAIN=a.domain.under.your.control
 ACME_DIR=/config/.acme.sh
 KEY_PATH=$ACME_DIR/$DOMAIN/$DOMAIN.key
 FULLCHAIN_PATH=$ACME_DIR/$DOMAIN/fullchain.cer

 # restore cronjob
 ln -s $ACME_DIR /root/
 $ACME_DIR/acme.sh --installcronjob

 # restore certificate
 mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak
 cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem

 # restart lighttpd
 ps -e | grep lighttpd | awk '{print $1;}' | xargs kill
 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

 touch $doneit 

 exit 0
	#!/bin/bash
	# script original path: /config/scripts/setup-letsencrypt.sh

	# Setup Let's Encrypt for GUI (works for me)
	# tested on EdgeRouter X (v1.9.1), logged in as root
	# only need to be run once after reset or firmware upgrade

	# I chose acme.sh (https://github.com/Neilpang/acme.sh) to handle the certificate issuing process
	# using DNS-01 challenge to verify my domain
	DOMAIN=a.domain.under.your.control
	EMAIL=your@own.email

	ACME_DIR=/config/.acme.sh
	KEY_PATH=/tmp/gui.letsencrypt.key
	FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem
	RELOAD_CMD=/config/scripts/reload-gui-letsencrypt.sh

	if [[ $EUID -ne 0 ]]; then
	echo "Must be root to run the script"
	exit 1
	fi

	# forget about setting acme.sh dir during installation, it just not work for me
	# instead I made a symbolic link to pernament storage
	mkdir -p $ACME_DIR
	ln -s $ACME_DIR /root/.acme.sh
	curl https://get.acme.sh \| sh

	# If your DNS provider is supported by acme.sh, DNS API integration can simply verification proces
	# I use GoDaddy for example
	# Get a production API key on https://developer.godaddy.com/keys
	export GD_Key="your GoDaddy API key"
	export GD_Secret="secret of API key"

	$ACME_DIR/acme.sh --issue --dns dns_gd -d $DOMAIN \
	--accountemail $EMAIL \
	--keypath $KEY_PATH \
	--fullchainpath $FULLCHAIN_PATH \
	--reloadcmd $RELOAD_CMD
	#!/bin/bash
	# script original path: /config/scripts/reload-gui-letsencrypt.sh

	# Load new certificate after renewal
	# This script is to be called by acme.sh

	KEY_PATH=/tmp/gui.letsencrypt.key
	FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem

	mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak
	cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem

	# restart lighttpd
	ps -e \| grep lighttpd \| awk '{print $1;}' \| xargs kill
	/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

	rm $KEY_PATH $FULLCHAIN_PATH
	#!/bin/bash
	# script original path: /config/scripts/post-config.d/restore-acme.sh-functionality.sh

	# Restore symbolic link to acme.sh install dir, cronjob, Let's Encrypt certificate after firmware upgrade

	# adapted from Ubiquiti Networks Support and Help Center:
	# https://help.ubnt.com/hc/en-us/articles/204961814-EdgeRouter-Are-my-changes-lost-when-I-upgrade-the-firmware-image-

	doneit='/var/lib/acme_sh_restored'

	if [ -e $doneit ]; then
	exit 0;
	fi

	DOMAIN=a.domain.under.your.control
	ACME_DIR=/config/.acme.sh
	KEY_PATH=$ACME_DIR/$DOMAIN/$DOMAIN.key
	FULLCHAIN_PATH=$ACME_DIR/$DOMAIN/fullchain.cer

	# restore cronjob
	ln -s $ACME_DIR /root/
	$ACME_DIR/acme.sh --installcronjob

	# restore certificate
	mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak
	cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem

	# restart lighttpd
	ps -e \| grep lighttpd \| awk '{print $1;}' \| xargs kill
	/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

	touch $doneit

	exit 0