This is my own set of scripts to get and deploy certificates from letsecncypt
It use acme_tiny to actually interact with letsencrypt.
But acme_tiny don't generate CSRs and cannot replace certificates and keys of running services with new ones, as it is not intended to run with elevated privileges.
This set of scripts fills this gap.
It uses config /etc/acme-certs which contain three space-separated items on each non-comment line
- domain name
- directory where working key and certificate should be
- names of services which should be restarted when certificate is changed.
It runs acme_tiny as special non-privileged user, which only accesses files in its home directory. So, you should configure your web server such way that direcrory ~acme/public_html would be accessabile from web as /.well-known/acme-chanllenge from all neccessary domains.
Certificates would be always stored in the domain.crt either in service directory (specified in the config) or in the home of user acme. Keys are always stored in the service directory einther with .key extension (working ones) or with .newkey (ones being certified).
There are three steps in the certificate renewing process
- generate new keys and create CSRs (done as root as nobody else should be able to access keys)
- sign CSRs with letsencrypt and obtain certificates (done as special unprivileged user)
- deploying certificates (done as root, as private keys should be moved, certificates rewritten and services restarted)
Each of these steps is handled by separate script and run as separate cron job
If something went wrong during the process (i.e letsencrypt.org is not available online), old certificates would be retained.
Scripts begin to try to renew certificates a week before their expiration date, so there will be probably plenty of time to fix the problem.
create_csr
This is most complicated script besdes acme_tiny itself. It is written on python. It reads config., analyzes certificates and if there is less then week left until expiration date, generates new keys and CSRs. CSRs are placed into home of user acme. It places subjectAltName extension if it presents in the currently used certificate.
By default it creates new CSRs only for certificates which are about to expire within a week.
This is mode of operation for use from crontab. If you run these scripts from crontab daily, and read mail from cron, it gives you enough time to fix problems before certificates actually expire.
But you can force csr to be generated by specifying domain in the command line. It is for adding new domain into system.
request_crt
This script does all network access work. for each csr found in the home of user acme,. it runs acme_tiny unless there already exists certificate. At the end of this it tries to renew set of intermediate CA certificates. This is only script which attempts to access network. It runs from cron as acme user. It doesn't even know where private keys of these certificates are stored.This script expects that ${HOME}/public_html directory is mapped as
http://domain/.well-known/acme-challenge
by your web-server configuration for all the domains which need to be handled.
deploy_crt
This script checks received certificates. For each domain, listed in the /etc/acme-certs, it looks if new certificate presents in the home of user acme. Then it performs following checks:- whether private key in domain.crt matches private key in domain.newkey
- whether certiticate subject matches domain
- whether certificate signature can be verified.
If these checks pass, certificate is deployed. Otherwise certificate and CSR are removed so next invocation of create_csr would create new request.
If working certificate file contains more than one
-----BEGIN CERTIFICATE----
line, it is assumed that fresh set of intermediate CA certificates should be added to the end of newly deployed certificate.
At the end service listed in the configuration file is restarted using service(8) command.
Notes
These scripts don't mess with configuration files of your server. It is up to you to add proper configuration directives to the config files to use certificates.
These scripts assume that you already have working configuration. So they just copy some properties such as subjectAltName or presence of intermediate CA in the certificate file from existing configuration. May be it is needed to be fixed. See following howto: