Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:ssl [2022/06/25 12:25] darrontools:ssl [2024/07/17 12:03] (current) – [Issue cert] darron
Line 27: Line 27:
 a daily cron job. a daily cron job.
  
-This cron job will be replaced later.+Disable the following cron job which will be replaced later by a different script.
  
 <code> <code>
Line 34: Line 34:
 </code> </code>
  
-Additionally, a line is to the shell profile, eg. for TCSH:+Additionally, a line is added to your shell profile, eg. for TCSH:
  
 <code> <code>
Line 40: Line 40:
 </code> </code>
  
-The source contains+The source file included contains the following
 <code> <code>
 setenv LE_WORKING_DIR "/home/user/.acme.sh" setenv LE_WORKING_DIR "/home/user/.acme.sh"
Line 55: Line 55:
  
 # issue.sh # issue.sh
 +ID=`id -u` 
 +if test "$ID" -eq 0; then 
 +        echo "run as user" 
 +        exit 1 
 +fi
 if test $# -ne 1; then if test $# -ne 1; then
         echo "missing vhost"         echo "missing vhost"
Line 63: Line 67:
  
 sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge
-sudo chown -R $USER:$USER /var/www/htdocs/$VHOST/.well-known+sudo chown -R $USER:$GROUP /var/www/htdocs/$VHOST/.well-known
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
-$HOME/.acme.sh/acme.sh --issue -d $VHOST -w /var/www/htdocs/$VHOST+$HOME/.acme.sh/acme.sh --force --issue -d $VHOST -w /var/www/htdocs/$VHOST -k 2048
  
 sudo mkdir -p /var/www/ssl sudo mkdir -p /var/www/ssl
Line 72: Line 76:
  
 sudo mkdir -p /var/www/ssl/$VHOST sudo mkdir -p /var/www/ssl/$VHOST
-sudo chown -R $USER:$USER /var/www/ssl/$VHOST+sudo chown -R $USER:$GROUP /var/www/ssl/$VHOST
  
 $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem
Line 81: Line 85:
 ===Renew certs === ===Renew certs ===
  
-This process should be run once per month to update all certificates. It can also be used+This process should be run once per month or every two months to update all certificates. It can also be used
 to update single certificate if the virtual host is specified. The server process needs a signal to reload the files. to update single certificate if the virtual host is specified. The server process needs a signal to reload the files.
  
Line 88: Line 92:
  
 # renew.sh # renew.sh
 +ID=`id -u`
 +if test "$ID" -eq 0; then
 +        echo "run as user"
 +        exit 1
 +fi
  
-sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$USER {} \;+sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$GROUP {} \;
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
Line 102: Line 111:
 #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'` #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'`
 #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'` #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'`
- 
 sudo /etc/init.d/nginx reload sudo /etc/init.d/nginx reload
 +
 +exit 0
 +</code>
 +
 +Eg.
 +<code>
 +0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 +===Remove cert===
 +
 +<code>
 +#! /bin/bash
 +
 +# remove.sh
 +ID=`id -u`
 +if test "$ID" -eq 0; then
 +        echo "run as user"
 +        exit 1
 +fi
 +if test $# -ne 1; then
 +        echo "missing vhost"
 +        exit 1
 +fi
 +VHOST=$1
 +
 +export LE_WORKING_DIR="$HOME/.acme.sh"
 +$HOME/.acme.sh/acme.sh --remove -d $VHOST
 +
 +rm -Rf $HOME/.acme.sh/$VHOST*
 +sudo rm -Rf /var/www/ssl/$VHOST
  
 exit 0 exit 0
Line 113: Line 151:
 # m h dom mon dow command # m h dom mon dow command
 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 +
 +===Changing issuer====
 +
 +==Let's encrypt==
 +<code>
 +acme.sh --set-default-ca --server letsencrypt
 +</code>
 +
 +==zerossl==
 +
 +<code>
 +acme.sh --set-default-ca --server zerossl
 +</code>
 +
 +===Other===
 +
 +After issuing and later renewing certificates fullchain.pem and key.pem may be
 +copied and utilised by both exim and dovecot. Exim will
 +need read permission for the exim user.
 +
 +For example, fullchain and key are copied into /etc/exim4/ssl
 +
 +==Exim4==
 +
 +<code>
 +tls_certificate = /etc/exim4/ssl/certificate.pem
 +tls_privatekey  = /etc/exim4/ssl/privatekey.pem
 +</code>
 +
 +==Dovecot==
 +
 +<code>
 +ssl_cert = </etc/exim4/ssl/certificate.pem
 +ssl_key = </etc/exim4/ssl/privatekey.pem
 </code> </code>