Difference between revisions of "Letsencrypt"
Line 39: | Line 39: | ||
== Renew of the certs == | == Renew of the certs == | ||
− | The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh | + | The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh;dont forget du chmod +x the file |
#!/bin/bash | #!/bin/bash |
Revision as of 23:40, 8 December 2015
Introduction
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It's main purpose is to allow people to encrypt the internet traffic by a very simple system.
The certs delivered must be renewed every 3 months.
Installation
For the installation of Letsencrypt, the initial generation of the certificates and periodically re-new the authority certificates, at minimum Python version 2.7 is required. By default SME Server comes with a lower version, but below instruction will enable you to install version 2.7 in a 'supported' way, next to the default SME Server Python version. The newly installed Python version 2.7 will then only be used (after initial installation) for the renewal of the certificates (periodically and mandatory every 3 months).
Follow the instructions at Software_Collections and the python related wiki page specifically. You need to add the scl-repository for Python 2.7 that can be found here
Then:
yum install python27 --enablerepo=scl-python27 yum install git
To use Let's Encrypt run:
scl enable python27 bash cd /opt git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt service httpd-e-smith stop ./letsencrypt-auto certonly --standalone --email me@mydomain.co.uk -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk
Replacing email and domains as required. Then configure SME with the certificates generated:
config setprop modSSL crt /etc/letsencrypt/live/test.firstdomain.co.uk/cert.pem config setprop modSSL key /etc/letsencrypt/live/test.firstdomain.co.uk/privkey.pem config setprop modSSL CertificateChainFile /etc/letsencrypt/live/test.firstdomain.co.uk/fullchain.pem signal-event domain-modify; signal-event email-update
Renew of the certs
The following script will automatically renew your certificate. Save it in a convenient place, for example, /opt/letsencrypt-renew.sh;dont forget du chmod +x the file
#!/bin/bash source /opt/rh/python27/enable export X_SCLS="`scl enable python27 'echo $X_SCLS'`" /sbin/service httpd-e-smith stop /opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default --email me@mydomain.co.uk \ -d test.firstdomain.co.uk -d seconddomain.co.uk -d www.seconddomain.co.uk /sbin/e-smith/signal-event domain-modify /sbin/e-smith/signal-event email-update /sbin/e-smith/signal-event ibay-modify
You may want to set this up as a cron job to run every two months, to make sure your certificate doesn't expire. Please see Crontab_Manager contrib for an easy way to achieve this. Or, to set this from the command line, do the following:
mkdir -p /etc/e-smith/templates-custom/etc/crontab
nano /etc/e-smith/templates-custom/etc/crontab/sslrenew
The following example will run the renewal script at 22:48 on the third of every other month (Feb, Apr, Jun, etc.):
48 22 3 */2 * root /opt/letsencrypt-renew.sh
expand-template /etc/crontab
service crond restart
The time and day of the month can be chosen at your discretion--I've deliberately chosen a time that isn't at the top or bottom of the hour, or on the first of the month, in the hope of reducing load on letsencrypt's servers. Since the certificates are good for 90 days, this will renew your certificate in plenty of time.
Backup
Your certificate, private key, and other important information are stored in /etc/letsencrypt, which is not included in the standard SME Server backup routines. Make sure to add this directory to your backups. See, e.g., Backup with dar if you're using the workstation backup feature.
Source from info
Source: http://forums.contribs.org/index.php/topic,51961.msg266680.html#msg266680