147
edits
Changes
Jump to navigation
Jump to search
Line 100:
Line 100: + Line 117:
Line 118: − + − + − + + + + + + + + + + + + + + + + + + + + + + Line 137:
Line 159: − /etc/letsencrypt.sh/letsencrypt.sh -c + − − The script will run for a moment and should report success. If it does, look in /etc/letsencrypt.sh/certs/YOURDOMAIN and see if you have your files there. You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem). If you do, congratulations! You've successfully obtained your certificate. − Now you just need to configure your server to use the new certificate:+ − config setprop modSSL crt /etc/letsencrypt.sh/certs/yourdomain.com/cert.pem + − config setprop modSSL key /etc/letsencrypt.sh/certs/yourdomain.com/privkey.pem+ − − signal-event post-upgrade && signal-event reboot
→Installation of Letsencrypt.sh: Added hook script to manage services on cert issuance/renewal
cd /etc
cd /etc
git clone https://github.com/lukas2511/letsencrypt.sh
git clone https://github.com/lukas2511/letsencrypt.sh
mv letsencrypt.sh/letsencrypt.sh /usr/local/bin/
You'll need to create two configuration files for letsencrypt.sh.
You'll need to create two configuration files for letsencrypt.sh.
# config.sh
# config.sh
WELLKNOWN=/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/local/bin/letsencrypt-hook.sh"
# E-mail to use during the registration (default: <unset>)
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=admin@yourdomain.com
CONTACT_EMAIL="admin@yourdomain.com"
Ctrl-X to exit, Y to save.
Ctrl-X to exit, Y to save.
You'll need to create a custom "hook" script to set the config database up properly, and to trigger reloads of your system services when a certificate is issued or renewed.
nano /usr/local/bin/letsencrypt-hook.sh
Its contents should look like this:
#!/bin/bash
if [ $1 -eq "deploy_cert" ]; then
KEY = $3
CERT = $4
CHAIN = $5
/sbin/e-smith/db configuration setprop modSSL key $KEY
/sbin/e-smith/db configuration setprop modSSL crt $CERT
# the next line isn't ideal, because letsencrypt.sh passes the path to fullchain.pem and not chain.pem, but it will still work
/sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
/sbin/e-smith/signal-event domain-modify
/sbin/e-smith/signal-event email-update
/sbin/e-smith/signal-event ibay-modify
fi
Ctrl-X to exit, Y to save. Then make it executable:
chmod +x /usr/local/bin/letsencrypt-hook.sh
You'll also need to create a custom template fragment for Apache:
You'll also need to create a custom template fragment for Apache:
Now you're ready to run letsencrypt.sh and get your certificate.
Now you're ready to run letsencrypt.sh and get your certificate.
letsencrypt.sh -c
The script will run for a moment and should report success. If it does, look in /etc/letsencrypt.sh/certs/YOURDOMAIN and see if you have your files there. You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem). If you do, congratulations! You've successfully obtained your certificate. The hook script should have also configured your server to use the new certificate. To make sure, run
config show modSSL
and make sure there are values set for crt, key, and CertificateChainFile.
config setprop modSSL CertificateChainFile /etc/letsencrypt.sh/certs/yourdomain.com/chain.pem
As above, once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.
As above, once you've obtained your certificate and configured your server, test your server with a tool like [https://www.ssllabs.com/ssltest/ SSLLabs.com] to make sure it's working properly.