User Tools

Site Tools


general:linux:lets_encrypt

Lets encrypt using Dehydrated ACME client

Create config file for setting correct email sent to Lets encrypt

root@wrkm-www:/etc/dehydrated# cat /etc/dehydrated/conf.d/example.sh

# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=hostmaster@domain.example

Specify which domains to fetch certificates for

/etc/dehydrated/domains.txt

domain.example sub.domain.example
domain.example2 sub.domain.example2 sub2.example2

Modify example hook.sh script for actions to be taken after cert renewal

Here an example that reloads apache when certificates are updated

--- /usr/share/doc/dehydrated/examples/hook.sh  2018-04-25 23:22:40.000000000 +0200
+++ hook.sh     2019-08-20 07:53:59.533678877 +0200
@@ -22,6 +22,9 @@
 
     # Simple example: Use nsupdate with local named
     # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
+
+    # Send mail when we are trying to update certificate
+    echo | mail root -s "Dehydrated deploy_challenge certificate ${DOMAIN}"
 }
 
 clean_challenge() {
@@ -62,6 +65,12 @@
     # Simple example: Copy file to nginx config
     # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
     # systemctl reload nginx
+
+    # Reload apache server when certificate(s) has been updated
+    /bin/systemctl reload apache2
+
+    # Send mail when we have succeeded with updating certificate
+    echo | mail root -s "Dehydrated deploy_cert certificate ${DOMAIN}"
 }
 
 deploy_ocsp() {

Create script to be run by cron every day

/etc/cron.daily/dehydrated

#!/bin/sh

# Try to renew Let's Encrypt certificates

set -u

/usr/bin/dehydrated -c --hook /etc/dehydrated/hook.sh > /dev/null
code=$?

if [ $code -ne 0 ]; then
    echo | mail root -s "Dehydrated exited with non-zero status code ${code}"
fi
general/linux/lets_encrypt.txt · Last modified: 2020/11/17 23:06 by