Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:ssl [2022/06/25 12:26] – [Renew certs] darrontools:ssl [2024/07/17 12:03] (current) – [Issue cert] darron
Line 27: Line 27:
 a daily cron job. a daily cron job.
  
-This cron job will be replaced later.+Disable the following cron job which will be replaced later by a different script.
  
 <code> <code>
Line 34: Line 34:
 </code> </code>
  
-Additionally, a line is to the shell profile, eg. for TCSH:+Additionally, a line is added to your shell profile, eg. for TCSH:
  
 <code> <code>
Line 40: Line 40:
 </code> </code>
  
-The source contains+The source file included contains the following
 <code> <code>
 setenv LE_WORKING_DIR "/home/user/.acme.sh" setenv LE_WORKING_DIR "/home/user/.acme.sh"
Line 55: Line 55:
  
 # issue.sh # issue.sh
 +ID=`id -u` 
 +if test "$ID" -eq 0; then 
 +        echo "run as user" 
 +        exit 1 
 +fi
 if test $# -ne 1; then if test $# -ne 1; then
         echo "missing vhost"         echo "missing vhost"
Line 63: Line 67:
  
 sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge
-sudo chown -R $USER:$USER /var/www/htdocs/$VHOST/.well-known+sudo chown -R $USER:$GROUP /var/www/htdocs/$VHOST/.well-known
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
-$HOME/.acme.sh/acme.sh --issue -d $VHOST -w /var/www/htdocs/$VHOST+$HOME/.acme.sh/acme.sh --force --issue -d $VHOST -w /var/www/htdocs/$VHOST -k 2048
  
 sudo mkdir -p /var/www/ssl sudo mkdir -p /var/www/ssl
Line 72: Line 76:
  
 sudo mkdir -p /var/www/ssl/$VHOST sudo mkdir -p /var/www/ssl/$VHOST
-sudo chown -R $USER:$USER /var/www/ssl/$VHOST+sudo chown -R $USER:$GROUP /var/www/ssl/$VHOST
  
 $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem
Line 88: Line 92:
  
 # renew.sh # renew.sh
 +ID=`id -u`
 +if test "$ID" -eq 0; then
 +        echo "run as user"
 +        exit 1
 +fi
  
-sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$USER {} \;+sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$GROUP {} \;
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
Line 102: Line 111:
 #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'` #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'`
 #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'` #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'`
- 
 sudo /etc/init.d/nginx reload sudo /etc/init.d/nginx reload
 +
 +exit 0
 +</code>
 +
 +Eg.
 +<code>
 +0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 +===Remove cert===
 +
 +<code>
 +#! /bin/bash
 +
 +# remove.sh
 +ID=`id -u`
 +if test "$ID" -eq 0; then
 +        echo "run as user"
 +        exit 1
 +fi
 +if test $# -ne 1; then
 +        echo "missing vhost"
 +        exit 1
 +fi
 +VHOST=$1
 +
 +export LE_WORKING_DIR="$HOME/.acme.sh"
 +$HOME/.acme.sh/acme.sh --remove -d $VHOST
 +
 +rm -Rf $HOME/.acme.sh/$VHOST*
 +sudo rm -Rf /var/www/ssl/$VHOST
  
 exit 0 exit 0
Line 113: Line 151:
 # m h dom mon dow command # m h dom mon dow command
 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 +
 +===Changing issuer====
 +
 +==Let's encrypt==
 +<code>
 +acme.sh --set-default-ca --server letsencrypt
 +</code>
 +
 +==zerossl==
 +
 +<code>
 +acme.sh --set-default-ca --server zerossl
 +</code>
 +
 +===Other===
 +
 +After issuing and later renewing certificates fullchain.pem and key.pem may be
 +copied and utilised by both exim and dovecot. Exim will
 +need read permission for the exim user.
 +
 +For example, fullchain and key are copied into /etc/exim4/ssl
 +
 +==Exim4==
 +
 +<code>
 +tls_certificate = /etc/exim4/ssl/certificate.pem
 +tls_privatekey  = /etc/exim4/ssl/privatekey.pem
 +</code>
 +
 +==Dovecot==
 +
 +<code>
 +ssl_cert = </etc/exim4/ssl/certificate.pem
 +ssl_key = </etc/exim4/ssl/privatekey.pem
 </code> </code>