This is an old revision of the document!


SSL-TLS

TLS is used to secure web services. This was expensive until Let's Encrypt became first Free SSL certificate service for providing TLS security for network services.

For some time certbot-auto was the standard method for updating certificates for Let's Encrypt but this is now obsolete so here we look at acme.sh which by default uses ZeroSSL.

Install

Install prerequisites and then clone acme.sh and create a working account with your valid email address.

sudo apt install git wget socat
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m user@example.com

This process creates an install within your home directory in a subdir named .acme.sh. It will also create a daily cron job.

Disable the following cron job which will be replaced later by another script later.

crontab -l
47 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

Additionally, a line is added to your shell profile, eg. for TCSH:

source "/home/user/.acme.sh/acme.sh.csh"

The source file includes contains the following

setenv LE_WORKING_DIR "/home/user/.acme.sh"
alias acme.sh "/home/user/.acme.sh/acme.sh"

Issue cert

Issue a certificate as a logged in user in the htdocs directory. This has to be only done once and likely before certificates are configured in the web server configuration.

#! /bin/bash

# issue.sh
ID=`id -u`
if test "$ID" -eq 0; then
        echo "run as user"
        exit 1
fi
if test $# -ne 1; then
        echo "missing vhost"
        exit 1
fi
VHOST=$1

sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge
sudo chown -R $USER:$USER /var/www/htdocs/$VHOST/.well-known

export LE_WORKING_DIR="$HOME/.acme.sh"
$HOME/.acme.sh/acme.sh --issue -d $VHOST -w /var/www/htdocs/$VHOST

sudo mkdir -p /var/www/ssl
sudo chown 0:0 /var/www/ssl

sudo mkdir -p /var/www/ssl/$VHOST
sudo chown -R $USER:$USER /var/www/ssl/$VHOST

$HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem

exit 0

Renew certs

This process should be run once per month or every two months to update all certificates. It can also be used to update single certificate if the virtual host is specified. The server process needs a signal to reload the files.

#! /bin/bash

# renew.sh
ID=`id -u`
if test "$ID" -eq 0; then
        echo "run as user"
        exit 1
fi

sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$USER {} \;

export LE_WORKING_DIR="$HOME/.acme.sh"
if test $# -ne 1; then
        sleep $[($RANDOM % 40) + 10]
        $HOME/.acme.sh/acme.sh --renew-all --force
else
        VHOST=$1
        $HOME/.acme.sh/acme.sh --renew -d $VHOST --force
fi

#sudo kill -HUP  `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'`
#sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'`

sudo /etc/init.d/nginx reload

exit 0

Remove cert

#! /bin/bash

# remove.sh
ID=`id -u`
if test "$ID" -eq 0; then
        echo "run as user"
        exit 1
fi
if test $# -ne 1; then
        echo "missing vhost"
        exit 1
fi
VHOST=$1

export LE_WORKING_DIR="$HOME/.acme.sh"
$HOME/.acme.sh/acme.sh --remove -d $VHOST

rm -Rf $HOME/.acme.sh/$VHOST
sudo rm -Rf /var/www/ssl/$VHOST

exit 0

Cron

# m h dom mon dow command
0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null

Changing issuer

Let's encrypt
acme.sh --set-default-ca --server letsencrypt
zerossl
acme.sh --set-default-ca --server zerossl

Resources

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies