Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:ssl [2022/08/21 13:26] – [Remove cert] darrontools:ssl [2024/07/17 12:03] (current) – [Issue cert] darron
Line 27: Line 27:
 a daily cron job. a daily cron job.
  
-This cron job will be replaced later.+Disable the following cron job which will be replaced later by a different script.
  
 <code> <code>
Line 34: Line 34:
 </code> </code>
  
-Additionally, a line is to the shell profile, eg. for TCSH:+Additionally, a line is added to your shell profile, eg. for TCSH:
  
 <code> <code>
Line 40: Line 40:
 </code> </code>
  
-The source contains+The source file included contains the following
 <code> <code>
 setenv LE_WORKING_DIR "/home/user/.acme.sh" setenv LE_WORKING_DIR "/home/user/.acme.sh"
Line 67: Line 67:
  
 sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge
-sudo chown -R $USER:$USER /var/www/htdocs/$VHOST/.well-known+sudo chown -R $USER:$GROUP /var/www/htdocs/$VHOST/.well-known
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
-$HOME/.acme.sh/acme.sh --issue -d $VHOST -w /var/www/htdocs/$VHOST+$HOME/.acme.sh/acme.sh --force --issue -d $VHOST -w /var/www/htdocs/$VHOST -k 2048
  
 sudo mkdir -p /var/www/ssl sudo mkdir -p /var/www/ssl
Line 76: Line 76:
  
 sudo mkdir -p /var/www/ssl/$VHOST sudo mkdir -p /var/www/ssl/$VHOST
-sudo chown -R $USER:$USER /var/www/ssl/$VHOST+sudo chown -R $USER:$GROUP /var/www/ssl/$VHOST
  
 $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem
Line 98: Line 98:
 fi fi
  
-sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$USER {} \;+sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$GROUP {} \;
  
 export LE_WORKING_DIR="$HOME/.acme.sh" export LE_WORKING_DIR="$HOME/.acme.sh"
Line 111: Line 111:
 #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'` #sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'`
 #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'` #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'`
- 
 sudo /etc/init.d/nginx reload sudo /etc/init.d/nginx reload
  
Line 117: Line 116:
 </code> </code>
  
 +Eg.
 +<code>
 +0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 ===Remove cert=== ===Remove cert===
  
Line 137: Line 140:
 $HOME/.acme.sh/acme.sh --remove -d $VHOST $HOME/.acme.sh/acme.sh --remove -d $VHOST
  
-rm -Rf $HOME/.acme.sh/$VHOST +rm -Rf $HOME/.acme.sh/$VHOST* 
-rm -Rf /var/www/ssl/$VHOST+sudo rm -Rf /var/www/ssl/$VHOST
  
 exit 0 exit 0
Line 148: Line 151:
 # m h dom mon dow command # m h dom mon dow command
 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
 +</code>
 +
 +===Changing issuer====
 +
 +==Let's encrypt==
 +<code>
 +acme.sh --set-default-ca --server letsencrypt
 +</code>
 +
 +==zerossl==
 +
 +<code>
 +acme.sh --set-default-ca --server zerossl
 +</code>
 +
 +===Other===
 +
 +After issuing and later renewing certificates fullchain.pem and key.pem may be
 +copied and utilised by both exim and dovecot. Exim will
 +need read permission for the exim user.
 +
 +For example, fullchain and key are copied into /etc/exim4/ssl
 +
 +==Exim4==
 +
 +<code>
 +tls_certificate = /etc/exim4/ssl/certificate.pem
 +tls_privatekey  = /etc/exim4/ssl/privatekey.pem
 +</code>
 +
 +==Dovecot==
 +
 +<code>
 +ssl_cert = </etc/exim4/ssl/certificate.pem
 +ssl_key = </etc/exim4/ssl/privatekey.pem
 </code> </code>