Last active
December 28, 2023 08:29
-
-
Save phutidus/65c866b5e16b617c58860248e7f0519e to your computer and use it in GitHub Desktop.
Setup Let's Encrypt for GUI on EdgeRouter X using DNS-01 challenge
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# script original path: /config/scripts/setup-letsencrypt.sh | |
# Setup Let's Encrypt for GUI (works for me) | |
# tested on EdgeRouter X (v1.9.1), logged in as root | |
# only need to be run once after reset or firmware upgrade | |
# I chose acme.sh (https://github.com/Neilpang/acme.sh) to handle the certificate issuing process | |
# using DNS-01 challenge to verify my domain | |
DOMAIN=a.domain.under.your.control | |
EMAIL=your@own.email | |
ACME_DIR=/config/.acme.sh | |
KEY_PATH=/tmp/gui.letsencrypt.key | |
FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem | |
RELOAD_CMD=/config/scripts/reload-gui-letsencrypt.sh | |
if [[ $EUID -ne 0 ]]; then | |
echo "Must be root to run the script" | |
exit 1 | |
fi | |
# forget about setting acme.sh dir during installation, it just not work for me | |
# instead I made a symbolic link to pernament storage | |
mkdir -p $ACME_DIR | |
ln -s $ACME_DIR /root/.acme.sh | |
curl https://get.acme.sh | sh | |
# If your DNS provider is supported by acme.sh, DNS API integration can simply verification proces | |
# I use GoDaddy for example | |
# Get a production API key on https://developer.godaddy.com/keys | |
export GD_Key="your GoDaddy API key" | |
export GD_Secret="secret of API key" | |
$ACME_DIR/acme.sh --issue --dns dns_gd -d $DOMAIN \ | |
--accountemail $EMAIL \ | |
--keypath $KEY_PATH \ | |
--fullchainpath $FULLCHAIN_PATH \ | |
--reloadcmd $RELOAD_CMD |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# script original path: /config/scripts/reload-gui-letsencrypt.sh | |
# Load new certificate after renewal | |
# This script is to be called by acme.sh | |
KEY_PATH=/tmp/gui.letsencrypt.key | |
FULLCHAIN_PATH=/tmp/gui.letsencrypt.fullchain.pem | |
mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak | |
cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem | |
# restart lighttpd | |
ps -e | grep lighttpd | awk '{print $1;}' | xargs kill | |
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf | |
rm $KEY_PATH $FULLCHAIN_PATH |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# script original path: /config/scripts/post-config.d/restore-acme.sh-functionality.sh | |
# Restore symbolic link to acme.sh install dir, cronjob, Let's Encrypt certificate after firmware upgrade | |
# adapted from Ubiquiti Networks Support and Help Center: | |
# https://help.ubnt.com/hc/en-us/articles/204961814-EdgeRouter-Are-my-changes-lost-when-I-upgrade-the-firmware-image- | |
doneit='/var/lib/acme_sh_restored' | |
if [ -e $doneit ]; then | |
exit 0; | |
fi | |
DOMAIN=a.domain.under.your.control | |
ACME_DIR=/config/.acme.sh | |
KEY_PATH=$ACME_DIR/$DOMAIN/$DOMAIN.key | |
FULLCHAIN_PATH=$ACME_DIR/$DOMAIN/fullchain.cer | |
# restore cronjob | |
ln -s $ACME_DIR /root/ | |
$ACME_DIR/acme.sh --installcronjob | |
# restore certificate | |
mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem.bak | |
cat $KEY_PATH $FULLCHAIN_PATH > /etc/lighttpd/server.pem | |
# restart lighttpd | |
ps -e | grep lighttpd | awk '{print $1;}' | xargs kill | |
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf | |
touch $doneit | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment