This is an old revision of the document!
Table of Contents
SSL-TLS
TLS is used to secure web services. This was expensive until Let's Encrypt became first Free SSL certificate service for providing TLS security for network services.
For some time certbot-auto was the standard method for updating certificates for Let's Encrypt but this is now obsolete so here we look at acme.sh which by default uses ZeroSSL.
Install
Install prerequisites and then clone acme.sh and create a working account with your valid email address.
sudo apt install git wget socat git clone https://github.com/acmesh-official/acme.sh.git cd acme.sh ./acme.sh --install -m user@example.com
This process creates an install within your home directory in a subdir named .acme.sh. It will also create a daily cron job.
Disable the following cron job which will be replaced later by a different script.
crontab -l 47 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
Additionally, a line is added to your shell profile, eg. for TCSH:
source "/home/user/.acme.sh/acme.sh.csh"
The source file included contains the following
setenv LE_WORKING_DIR "/home/user/.acme.sh" alias acme.sh "/home/user/.acme.sh/acme.sh"
Issue cert
Issue a certificate as a logged in user in the htdocs directory. This has to be only done once and likely before certificates are configured in the web server configuration.
#! /bin/bash # issue.sh ID=`id -u` if test "$ID" -eq 0; then echo "run as user" exit 1 fi if test $# -ne 1; then echo "missing vhost" exit 1 fi VHOST=$1 sudo mkdir -p /var/www/htdocs/$VHOST/.well-known/acme-challenge sudo chown -R $USER:$GROUP /var/www/htdocs/$VHOST/.well-known export LE_WORKING_DIR="$HOME/.acme.sh" $HOME/.acme.sh/acme.sh --force --issue -d $VHOST -w /var/www/htdocs/$VHOST sudo mkdir -p /var/www/ssl sudo chown 0:0 /var/www/ssl sudo mkdir -p /var/www/ssl/$VHOST sudo chown -R $USER:$GROUP /var/www/ssl/$VHOST $HOME/.acme.sh/acme.sh --install-cert --domain $VHOST --cert-file /var/www/ssl/$VHOST/cert.pem --key-file /var/www/ssl/$VHOST/key.pem --ca-file /var/www/ssl/$VHOST/ca.pem --fullchain-file /var/www/ssl/$VHOST/fullchain.pem exit 0
Renew certs
This process should be run once per month or every two months to update all certificates. It can also be used to update single certificate if the virtual host is specified. The server process needs a signal to reload the files.
#! /bin/bash # renew.sh ID=`id -u` if test "$ID" -eq 0; then echo "run as user" exit 1 fi sudo find /var/www/htdocs/ -type d -name ".well-known" -exec chown -R $USER:$GROUP {} \; export LE_WORKING_DIR="$HOME/.acme.sh" if test $# -ne 1; then sleep $[($RANDOM % 40) + 10] $HOME/.acme.sh/acme.sh --renew-all --force else VHOST=$1 $HOME/.acme.sh/acme.sh --renew -d $VHOST --force fi #sudo kill -HUP `ps auxw | egrep '^root.*nginx: master' | grep -v grep | awk '{print $2}'` #sudo kill -USR1 `ps auxw | egrep '^root.*apache2' | grep -v grep | awk '{print $2}'` sudo /etc/init.d/nginx reload exit 0
Eg.
0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
Remove cert
#! /bin/bash # remove.sh ID=`id -u` if test "$ID" -eq 0; then echo "run as user" exit 1 fi if test $# -ne 1; then echo "missing vhost" exit 1 fi VHOST=$1 export LE_WORKING_DIR="$HOME/.acme.sh" $HOME/.acme.sh/acme.sh --remove -d $VHOST rm -Rf $HOME/.acme.sh/$VHOST* sudo rm -Rf /var/www/ssl/$VHOST exit 0
Cron
# m h dom mon dow command 0 0 2 * * /home/user/bin/renew.sh 1>/dev/null 2>/dev/null
Changing issuer
Let's encrypt
acme.sh --set-default-ca --server letsencrypt
zerossl
acme.sh --set-default-ca --server zerossl
Other
After issuing and later renewing certificates fullchain.pem and key.pem may be copied and utilised by both exim and dovecot. Exim will need read permission for the exim user.
For example, fullchain and key are copied into /etc/exim4/ssl
Exim4
tls_certificate = /etc/exim4/ssl/certificate.pem tls_privatekey = /etc/exim4/ssl/privatekey.pem
Dovecot
ssl_cert = </etc/exim4/ssl/certificate.pem ssl_key = </etc/exim4/ssl/privatekey.pem