diff --git a/README.md b/README.md index ea0dc2d..cfd4e41 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ get an SSL certificate via LetsEncryot. Suitable for automating the process in This was written as an addition to checkssl for servers to automatically renew certifictes. In addition it allows the running of this script in standard bash ( on a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access). Potentially I can include FTP as an option for uploading as well. - getssl ver. 0.8 + getssl ver. 0.10 To obtain a letsencrypt SSL cert Usage: getssl [-h|--help] [-d|--debug] [-c] [-w working_dir] domain @@ -73,9 +73,10 @@ SANS=www.testdomain.com # 'ssh:server5:/var/www/testdomain.com/web/.well-known/acme-challenge') # location for all your certs these can either be on the server ( so full path name) or using ssh as for the ACL -#DOMAIN_CERT_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.crt" -#DOMAIN_KEY_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.key" +#DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt" +#DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key" #CA_CERT_LOCATION="/etc/ssl/chain.crt" +#DOMAIN_PEM_LOCATION="/etc/ssl/domain-bundle.pem" # the command needed to reload apache / gninx or whatever you use #RELOAD_CMD="ssh:server5:service apache2 reload" #The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. @@ -131,6 +132,8 @@ copying private key to ssh:server5:/home/yourdomain/ssl/domain.key copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt reloading SSL services ``` +This will (by default) used the staging server, so should give you a certificate that isn't trusted ( by happy hacker). +Change the server in your config file to get a fully valid certificate. Note: Using DNS validation is still in early stages, and there are a number of issues related to it (for example I tested with cloudflare DNS which wouldn't work and with an "internal boulder sanity check" - https://github.com/letsencrypt/boulder/issues/1391 diff --git a/getssl b/getssl index 2126892..2b778c8 100755 --- a/getssl +++ b/getssl @@ -25,10 +25,11 @@ # 2016-01-18 added option to upload a single PEN file ( used by cpanel) (v0.7) # 2016-01-23 added dns challenge option (v0.8) # 2016-01-24 create the ACL directory if it does not exist. (v0.9) - dstosberg +# 2016-01-26 correcting a couple of small bugs (v0.10) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="0.9" +VERSION="0.10" # defaults #umask 077 # paranoid umask, as we're creating private keys @@ -159,9 +160,9 @@ copy_file_to_location() { scp $from ${to:4}" fi else - mkdir -p $to + mkdir -p $(dirname $to) if [ $? -gt 0 ]; then - error_exit "cannot create ACL directory $to" + error_exit "cannot create ACL directory $(basename $to)" fi cp $from $to fi @@ -329,9 +330,10 @@ SANS=${EX_SANS} # 'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge') # location for all your certs these can either be on the server ( so full path name) or using ssh as for the ACL -#DOMAIN_CERT_LOCATION=\"ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.crt\" -#DOMAIN_KEY_LOCATION=\"ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.key\" +#DOMAIN_CERT_LOCATION=\"ssh:server5:/etc/ssl/domain.crt\" +#DOMAIN_KEY_LOCATION=\"ssh:server5:/etc/ssl/domain.key\" #CA_CERT_LOCATION=\"/etc/ssl/chain.crt\" +#DOMAIN_PEM_LOCATION=\"\" # the command needed to reload apache / gninx or whatever you use #RELOAD_CMD=\"\" #The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. @@ -613,6 +615,8 @@ for d in $alldomains; do rm -f ${ACL[$dn]}/$token fi fi + # increment domain-counter + let dn=dn+1; done info "Verification completed, obtaining certificate."