====== Lets encrypt using Dehydrated ACME client ======
===== Create config file for setting correct email sent to Lets encrypt =====
root@wrkm-www:/etc/dehydrated# cat /etc/dehydrated/conf.d/example.sh
# E-mail to use during the registration (default: )
CONTACT_EMAIL=hostmaster@domain.example
===== Specify which domains to fetch certificates for =====
/etc/dehydrated/domains.txt
domain.example sub.domain.example
domain.example2 sub.domain.example2 sub2.example2
===== Modify example hook.sh script for actions to be taken after cert renewal =====
Here an example that reloads apache when certificates are updated
--- /usr/share/doc/dehydrated/examples/hook.sh 2018-04-25 23:22:40.000000000 +0200
+++ hook.sh 2019-08-20 07:53:59.533678877 +0200
@@ -22,6 +22,9 @@
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
+
+ # Send mail when we are trying to update certificate
+ echo | mail root -s "Dehydrated deploy_challenge certificate ${DOMAIN}"
}
clean_challenge() {
@@ -62,6 +65,12 @@
# Simple example: Copy file to nginx config
# cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
# systemctl reload nginx
+
+ # Reload apache server when certificate(s) has been updated
+ /bin/systemctl reload apache2
+
+ # Send mail when we have succeeded with updating certificate
+ echo | mail root -s "Dehydrated deploy_cert certificate ${DOMAIN}"
}
deploy_ocsp() {
===== Create script to be run by cron every day =====
/etc/cron.daily/dehydrated
#!/bin/sh
# Try to renew Let's Encrypt certificates
set -u
/usr/bin/dehydrated -c --hook /etc/dehydrated/hook.sh > /dev/null
code=$?
if [ $code -ne 0 ]; then
echo | mail root -s "Dehydrated exited with non-zero status code ${code}"
fi