README.md
· 1.2 KiB · Markdown
Raw
## Deploying [dehydrated](http://dehydrated.de) for apache2 on Debian Jessie:
```
wget https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/deploy_dehydrated.sh \
-O /tmp/deploy_dehydrated.sh && \
bash /tmp/deploy_dehydrated.sh <registration email>
```
Now you need to create ```/etc/dehydrated/domains.txt``` like [documented](https://github.com/lukas2511/dehydrated/blob/master/docs/domains_txt.md).
Running the cronjob for initial request of certs:
```
/etc/cron.daily/dehydrated_autorenew
```
If you are hit by [Provided agreement URL ... does not match current agreement URL ...](https://github.com/lukas2511/dehydrated/issues/248) you need to use at least dehydrated 0.4.0, for example from stretch-backports. Use:
```
/usr/bin/dehydrated -c --accept-terms && /etc/cron.daily/dehydrated_autorenew
```
## Linking certs and keys into usual places:
```
/usr/local/sbin/dehydrated_create_links
```
For distributed setups you might want to have a look into [Using redirects](https://nekudo.com/blog/letsencrypt-in-a-multiserver-environment) or [Use and automate letsencrypt certificates (ACME) in an high-availability environment](https://chr4.org/blog/2016/11/14/use-letsencrypt-acme-in-an-high-availability-environment/).
Deploying dehydrated for apache2 on Debian Jessie:
wget https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/deploy_dehydrated.sh \
-O /tmp/deploy_dehydrated.sh && \
bash /tmp/deploy_dehydrated.sh <registration email>
Now you need to create /etc/dehydrated/domains.txt like documented.
Running the cronjob for initial request of certs:
/etc/cron.daily/dehydrated_autorenew
If you are hit by Provided agreement URL ... does not match current agreement URL ... you need to use at least dehydrated 0.4.0, for example from stretch-backports. Use:
/usr/bin/dehydrated -c --accept-terms && /etc/cron.daily/dehydrated_autorenew
Linking certs and keys into usual places:
/usr/local/sbin/dehydrated_create_links
For distributed setups you might want to have a look into Using redirects or Use and automate letsencrypt certificates (ACME) in an high-availability environment.
deploy_dehydrated.sh
· 1.8 KiB · Bash
Raw
#!/bin/bash
CRON="/etc/cron.daily/dehydrated_autorenew"
CONFIGURL="https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/local.sh"
CONFIGNAME="$(basename ${CONFIGURL})"
CONFIGPATH="/etc/dehydrated/conf.d/"
LINKSCRIPT="/usr/local/sbin/dehydrated_create_links"
HOOKNAME="hook.sh"
HOOKPATH="/etc/dehydrated/"
if [ "$(lsb_release -cs)" = "jessie" ]; then
BPO="-t $(lsb_release -cs)-backports"
fi
PACKAGES="dehydrated dehydrated-apache2"
apt-get install -y ${BPO} ${PACKAGES}
if [ ! -x ${CRON} ]; then
cat > ${CRON} <<EOF
#!/bin/bash
test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c -g | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0
EOF
chmod +x ${CRON}
fi
cat > ${LINKSCRIPT} << EOF
#!/bin/bash
for CERT in \$(awk {'print \$1'} /etc/dehydrated/domains.txt); do [ -f /var/lib/dehydrated/certs/\${CERT}/privkey.pem ] && ! [ -L /etc/ssl/private/\${CERT}.key ] && ln -s /var/lib/dehydrated/certs/\${CERT}/privkey.pem /etc/ssl/private/\${CERT}.key; [ -f /var/lib/dehydrated/certs/\${CERT}/fullchain.pem ] && ! [ -L /etc/ssl/certs/\${CERT}.pem ] && ln -s /var/lib/dehydrated/certs/\${CERT}/fullchain.pem /etc/ssl/certs/\${CERT}.pem;done
EOF
chmod +x ${LINKSCRIPT}
# Fix #941414 (for now)
sed -i "s/grep Replay-Nonce:/grep -i ^Replay-Nonce:/" /usr/bin/dehydrated
[ -f ${CONFIGPATH}/${CONFIGNAME} ] || wget ${CONFIGURL} -O ${CONFIGPATH}/${CONFIGNAME}
sed -i "s/^CONTACT_EMAIL=*/CONTACT_EMAIL=${1}/" ${CONFIGPATH}/${CONFIGNAME}
[ -f ${HOOKPATH}/${HOOKNAME} ] || printf '#!/bin/sh\n\n# See also https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh\n\n[ "$1" != "deploy_cert" ] || /usr/sbin/service apache2 restart' > ${HOOKPATH}/${HOOKNAME} && chmod +x ${HOOKPATH}/${HOOKNAME}
| 1 | #!/bin/bash |
| 2 | CRON="/etc/cron.daily/dehydrated_autorenew" |
| 3 | CONFIGURL="https://gist.githubusercontent.com/waja/8df78afb09691e4f383d818685f48885/raw/local.sh" |
| 4 | CONFIGNAME="$(basename ${CONFIGURL})" |
| 5 | CONFIGPATH="/etc/dehydrated/conf.d/" |
| 6 | LINKSCRIPT="/usr/local/sbin/dehydrated_create_links" |
| 7 | HOOKNAME="hook.sh" |
| 8 | HOOKPATH="/etc/dehydrated/" |
| 9 | if [ "$(lsb_release -cs)" = "jessie" ]; then |
| 10 | BPO="-t $(lsb_release -cs)-backports" |
| 11 | fi |
| 12 | PACKAGES="dehydrated dehydrated-apache2" |
| 13 | |
| 14 | apt-get install -y ${BPO} ${PACKAGES} |
| 15 | |
| 16 | if [ ! -x ${CRON} ]; then |
| 17 | cat > ${CRON} <<EOF |
| 18 | #!/bin/bash |
| 19 | test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c -g | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0 |
| 20 | EOF |
| 21 | chmod +x ${CRON} |
| 22 | fi |
| 23 | |
| 24 | cat > ${LINKSCRIPT} << EOF |
| 25 | #!/bin/bash |
| 26 | for CERT in \$(awk {'print \$1'} /etc/dehydrated/domains.txt); do [ -f /var/lib/dehydrated/certs/\${CERT}/privkey.pem ] && ! [ -L /etc/ssl/private/\${CERT}.key ] && ln -s /var/lib/dehydrated/certs/\${CERT}/privkey.pem /etc/ssl/private/\${CERT}.key; [ -f /var/lib/dehydrated/certs/\${CERT}/fullchain.pem ] && ! [ -L /etc/ssl/certs/\${CERT}.pem ] && ln -s /var/lib/dehydrated/certs/\${CERT}/fullchain.pem /etc/ssl/certs/\${CERT}.pem;done |
| 27 | EOF |
| 28 | chmod +x ${LINKSCRIPT} |
| 29 | |
| 30 | # Fix #941414 (for now) |
| 31 | sed -i "s/grep Replay-Nonce:/grep -i ^Replay-Nonce:/" /usr/bin/dehydrated |
| 32 | |
| 33 | [ -f ${CONFIGPATH}/${CONFIGNAME} ] || wget ${CONFIGURL} -O ${CONFIGPATH}/${CONFIGNAME} |
| 34 | |
| 35 | sed -i "s/^CONTACT_EMAIL=*/CONTACT_EMAIL=${1}/" ${CONFIGPATH}/${CONFIGNAME} |
| 36 | [ -f ${HOOKPATH}/${HOOKNAME} ] || printf '#!/bin/sh\n\n# See also https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh\n\n[ "$1" != "deploy_cert" ] || /usr/sbin/service apache2 restart' > ${HOOKPATH}/${HOOKNAME} && chmod +x ${HOOKPATH}/${HOOKNAME} |
| 37 |
lighttpd_dehydrated.conf
· 90 B · Text
Raw
alias.url += (
"/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/",
)
| 1 | alias.url += ( |
| 2 | "/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/", |
| 3 | ) |
local.sh
· 968 B · Bash
Raw
# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA="https://acme-v01.api.letsencrypt.org/directory"
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
HOOK='/etc/dehydrated/hook.sh'
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
HOOK_CHAIN="yes"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=rsa
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL=
| 1 | # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) |
| 2 | #CA="https://acme-v01.api.letsencrypt.org/directory" |
| 3 | |
| 4 | # Program or function called in certain situations |
| 5 | # |
| 6 | # After generating the challenge-response, or after failed challenge (in this case altname is empty) |
| 7 | # Given arguments: clean_challenge|deploy_challenge altname token-filename token-content |
| 8 | # |
| 9 | # After successfully signing certificate |
| 10 | # Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem |
| 11 | # |
| 12 | # BASEDIR and WELLKNOWN variables are exported and can be used in an external program |
| 13 | # default: <unset> |
| 14 | HOOK='/etc/dehydrated/hook.sh' |
| 15 | |
| 16 | # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) |
| 17 | HOOK_CHAIN="yes" |
| 18 | |
| 19 | # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 |
| 20 | #KEY_ALGO=rsa |
| 21 | |
| 22 | # E-mail to use during the registration (default: <unset>) |
| 23 | CONTACT_EMAIL= |
| 24 |
migrate2dehydrated.sh
· 1.3 KiB · Bash
Raw
# install (transition) package
aptitude -t jessie-backports install letsencrypt.sh letsencrypt.sh-apache2 && \
# migrate config over to dehydrated
sed -i s/letsencrypt\.sh/dehydrated/g /etc/cron.daily/letsencrypt_autorenew && mv /etc/cron.daily/letsencrypt_autorenew /etc/cron.daily/dehydrated_autorenew && \
mv /var/lib/letsencrypt.sh/certs/ /var/lib/letsencrypt.sh/accounts/ /var/lib/dehydrated/ && \
mv /etc/letsencrypt.sh/conf.d/* /etc/dehydrated/conf.d/ && \
mv /etc/letsencrypt.sh/domains.txt /etc/letsencrypt.sh/hook.sh /etc/dehydrated/ && \
sed -i s/letsencrypt\.sh/dehydrated/g /etc/dehydrated/conf.d/*
# migrate certificate links to dehydrated
for CERT in $(awk {'print $1'} /etc/dehydrated/domains.txt); do \
test -L /etc/ssl/certs/$CERT.pem && rm /etc/ssl/certs/$CERT.pem; \
test -L /etc/ssl/private/$CERT.key && rm /etc/ssl/private/$CERT.key; \
test -e /var/lib/dehydrated/certs/${CERT}/privkey.pem && \
ln -s /var/lib/dehydrated/certs/${CERT}/privkey.pem /etc/ssl/private/${CERT}.key; \
test -e /var/lib/dehydrated/certs/${CERT}/fullchain.pem && \
ln -s /var/lib/dehydrated/certs/${CERT}/fullchain.pem /etc/ssl/certs/${CERT}.pem; \
done
# remove obsolete apache configuration and reload apache2
rm /etc/apache2/conf-available/letsencrypt.sh.conf /etc/apache2/conf-enabled/letsencrypt.sh.conf && /etc/init.d/apache2 reload
| 1 | # install (transition) package |
| 2 | aptitude -t jessie-backports install letsencrypt.sh letsencrypt.sh-apache2 && \ |
| 3 | # migrate config over to dehydrated |
| 4 | sed -i s/letsencrypt\.sh/dehydrated/g /etc/cron.daily/letsencrypt_autorenew && mv /etc/cron.daily/letsencrypt_autorenew /etc/cron.daily/dehydrated_autorenew && \ |
| 5 | mv /var/lib/letsencrypt.sh/certs/ /var/lib/letsencrypt.sh/accounts/ /var/lib/dehydrated/ && \ |
| 6 | mv /etc/letsencrypt.sh/conf.d/* /etc/dehydrated/conf.d/ && \ |
| 7 | mv /etc/letsencrypt.sh/domains.txt /etc/letsencrypt.sh/hook.sh /etc/dehydrated/ && \ |
| 8 | sed -i s/letsencrypt\.sh/dehydrated/g /etc/dehydrated/conf.d/* |
| 9 | |
| 10 | # migrate certificate links to dehydrated |
| 11 | for CERT in $(awk {'print $1'} /etc/dehydrated/domains.txt); do \ |
| 12 | test -L /etc/ssl/certs/$CERT.pem && rm /etc/ssl/certs/$CERT.pem; \ |
| 13 | test -L /etc/ssl/private/$CERT.key && rm /etc/ssl/private/$CERT.key; \ |
| 14 | test -e /var/lib/dehydrated/certs/${CERT}/privkey.pem && \ |
| 15 | ln -s /var/lib/dehydrated/certs/${CERT}/privkey.pem /etc/ssl/private/${CERT}.key; \ |
| 16 | test -e /var/lib/dehydrated/certs/${CERT}/fullchain.pem && \ |
| 17 | ln -s /var/lib/dehydrated/certs/${CERT}/fullchain.pem /etc/ssl/certs/${CERT}.pem; \ |
| 18 | done |
| 19 | |
| 20 | # remove obsolete apache configuration and reload apache2 |
| 21 | rm /etc/apache2/conf-available/letsencrypt.sh.conf /etc/apache2/conf-enabled/letsencrypt.sh.conf && /etc/init.d/apache2 reload |
| 22 |
update_cron.sh
· 341 B · Bash
Raw
#!/bin/bash
CRON="/etc/cron.daily/dehydrated_autorenew"; rm ${CRON}; \
if [ ! -x ${CRON} ]; then
cat > ${CRON} <<EOF
#!/bin/bash
test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0
EOF
chmod +x ${CRON}; fi
| 1 | #!/bin/bash |
| 2 | CRON="/etc/cron.daily/dehydrated_autorenew"; rm ${CRON}; \ |
| 3 | if [ ! -x ${CRON} ]; then |
| 4 | cat > ${CRON} <<EOF |
| 5 | #!/bin/bash |
| 6 | test -x /usr/bin/dehydrated && /usr/bin/dehydrated -c | grep -v -E "(^#|^Processing|Skipping renew|unchanged|Checking expire date of existing cert|Certificate will not expire|^$)"; exit 0 |
| 7 | EOF |
| 8 | chmod +x ${CRON}; fi |