====SSL-TLS====
TLS is used to secure web services. This was expensive until
Let's Encrypt became first Free SSL certificate service for
providing TLS security for network services.
For some time certbot-auto was the standard method for
updating certificates for Let's Encrypt but this is now obsolete so
here we look at acme.sh which by default uses ZeroSSL.
===Install===
Install prerequisites and then
clone acme.sh and create a working
account with your valid email address.
sudo apt install git wget socat
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m user@example.com
This process creates an install within your home
directory in a subdir named .acme.sh. It will also create
a daily cron job.
Disable the following cron job which will be replaced later by a different script.
crontab -l
47 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
Additionally, a line is added to your shell profile, eg. for TCSH:
source "/home/user/.acme.sh/acme.sh.csh"
The source file included contains the following
setenv LE_WORKING_DIR "/home/user/.acme.sh"
alias acme.sh "/home/user/.acme.sh/acme.sh"
===Issue cert===
Issue a certificate as a logged in user in the htdocs directory. This has to be only
done once and likely before certificates are configured in the web server configuration.
#! /bin/bash
# issue.sh
ID=`id -u`
if test "$ID" -eq 0; then
echo "run as user"
exit 1
fi
if test $# -ne 1; then
echo "missing vhost"
exit 1
fi
VHOST=$1
sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge
sudo chown -R $USER:$GROUP /var/www/htdocs/$VHOST/.well-known
export LE_WORKING_DIR="$HOME/.acme.sh"
$HOME/.acme.sh/acme.sh --force --issue -d $VHOST -w /var/www/htdocs/$VHOST -k 2048
sudo mkdir -p /var/www/ssl
sudo chown 0:0 /var/www/ssl
sudo mkdir -p /var/www/ssl/$VHOST
sudo chown -R $USER:$GROUP /var/www/ssl/$VHOST
$HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem
exit 0
===Renew certs ===
This process should be run once per month or every two months to update all certificates. It can also be used
to update single certificate if the virtual host is specified. The server process needs a signal to reload the files.
#! /bin/bash
# renew.sh
ID=`id -u`
if test "$ID" -eq 0; then
echo "run as user"
exit 1
fi
sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$GROUP {} \;
export LE_WORKING_DIR="$HOME/.acme.sh"
if test $# -ne 1; then
sleep $[($RANDOM % 40) + 10]
$HOME/.acme.sh/acme.sh --renew-all --force
else
VHOST=$1
$HOME/.acme.sh/acme.sh --renew -d $VHOST --force
fi
#sudo kill -HUP `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'`
#sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'`
sudo /etc/init.d/nginx reload
exit 0
Eg.
0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
===Remove cert===
#! /bin/bash
# remove.sh
ID=`id -u`
if test "$ID" -eq 0; then
echo "run as user"
exit 1
fi
if test $# -ne 1; then
echo "missing vhost"
exit 1
fi
VHOST=$1
export LE_WORKING_DIR="$HOME/.acme.sh"
$HOME/.acme.sh/acme.sh --remove -d $VHOST
rm -Rf $HOME/.acme.sh/$VHOST*
sudo rm -Rf /var/www/ssl/$VHOST
exit 0
===Cron===
# m h dom mon dow command
0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
===Changing issuer====
==Let's encrypt==
acme.sh --set-default-ca --server letsencrypt
==zerossl==
acme.sh --set-default-ca --server zerossl
===Other===
After issuing and later renewing certificates fullchain.pem and key.pem may be
copied and utilised by both exim and dovecot. Exim will
need read permission for the exim user.
For example, fullchain and key are copied into /etc/exim4/ssl
==Exim4==
tls_certificate = /etc/exim4/ssl/certificate.pem
tls_privatekey = /etc/exim4/ssl/privatekey.pem
==Dovecot==
ssl_cert =
===Resources===
[[https://github.com/acmesh-official/acme.sh|acme.sh on github]]