From a875f7f1603655202564b56f93b1b9f09bb1fe87 Mon Sep 17 00:00:00 2001 From: srvrco Date: Mon, 11 Jan 2016 16:51:23 +0000 Subject: [PATCH] updating readme and typos for ver 0.2 --- README.md | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ getssl | 12 ++++-- 2 files changed, 124 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f22dc57..3a54960 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,118 @@ # getssl get an SSL certificate via LetsEncryot. Suitable for automating the process in remote servers. + +This was written as an addition to checkssl for servers to automatically renew certifictes. In addition it allows the running of this script in standard bash ( on a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access). Potentially I can include FTP as an option for uploading as well. + + getssl ver. 0.1 + To obtain a letsencrypt SSL cert + + Usage: getssl [-h|--help] [-d|--debug] [-c] [-w working_dir] domain + + Options: + -h, --help Display this help message and exit. + -d, --debug outputs debug information + -c, Create default config files + -w working_dir working directory + Where 'working_dir' is the Working Directory. + + +## Structure + +The design aim was to provide flexibility in running the code. The default working directory is ~/.getssl ( which can be modified via the command line) + +Within the **working directory** is a config file, getssl.cfg which is a simple bash file containing variables, an example of which is + +`# uncomment and modify any variables you need +# The staging server is best for testing +CA="https://acme-staging.api.letsencrypt.org" +# This server issues full certificates, however has rate limits +#CA="https://acme-v01.api.letsencrypt.org" + +AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" + +#set an email address associated with your account +ACCOUNT_EMAIL="me@example.com" +ACCOUNT_KEY_LENGTH=4096 + +#The default directory for all your certs to be stored within ( in subdirectories by domain name ) +WORKING_DIR=~/.getssl + +# the command needed to reload apache / gninx or whatever you use +#RELOAD_CMD="" +#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. +RENEW_ALLOW="30"` + +then, within the **working directory** there will be a folder for each certificate (based on it's domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is; + +'# uncomment and modify any variables you need +# The staging server is best for testing +#CA="https://acme-staging.api.letsencrypt.org" +# This server issues full certificates, however has rate limits +#CA="https://acme-v01.api.letsencrypt.org" + +#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" + +#set an email address associated with your account - generally set at account level rather than domain. +#ACCOUNT_EMAIL="me@example.com" +#ACCOUNT_KEY_LENGTH=4096 + +# additional domains - this could be multiple domains / subdomains in a comma separated list +SANS=www.testdomain.com + +#Acme Challenge Location. The first line for the domain, the following ones for each additional domain +#if these start with ssh: then the next variable is assumed to be the hostname and the rest the location. +#an ssh key will be needed to provide you with access to the remote server. +#ACL=('/var/www/testdomain.com/web/.well-known/acme-challenge' +# 'ssh:server5:/var/www/testdomain.com/web/.well-known/acme-challenge') + +# location for all your certs these can either be on the server ( so full path name) or using ssh as for the ACL +#DOMAIN_CERT_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.crt" +#DOMAIN_KEY_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.key" +#CA_CERT_LOCATION="/etc/ssl/chain.crt" +# the command needed to reload apache / gninx or whatever you use +#RELOAD_CMD="ssh:server5:service apache2 reload" +#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. +#RENEW_ALLOW="30"` + +if a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path. +files will be copied using scp, and it assumes that you have a key on the server ( for passwordless access). You can set the user, port etc for the server in your .ssh/config file + +ssh can also be used for the reload command if using on remote servers. + +## Getting started + +The easiest way to get started is to use + +getssl -c yourdomain.com + +where yourdomain.com is the primary domain name that you want to create a certificate for. This will create + +~/.getssl +~/.getssl/getssl.cfg +~/.getssl/yourdomain.com +~/.getssl/yourdomain.com/getssl.cfg + +You can then edit ~/.getssl/getssl.cfg to have the values you want as the default for the majority of your certificates. +Edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain. + +You can then just run; + +getssl yourdomain.com + +and it should run, providing output like; +Registering account +Verify each domain +Verifing yourdomain.com +Verified yourdomain.com +Verifing www.yourdomain.com +Verified www.yourdomain.com +Verification completed, obtaining certificate. +Certificate saved in /home/user/.getssl/yourdomain.com/yourdomain.com.crt +The intermediate CA cert is in /home/andy/.getssl/yourdomain.com/chain.crt +copying domain certificate to ssh:server5:/home/yourdomain/ssl/domain.crt +copying private key to ssh:server5:/home/yourdomain/ssl/domain.key +copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt +reloading SSL services + + + diff --git a/getssl b/getssl index bc9560d..7ba6d25 100755 --- a/getssl +++ b/getssl @@ -13,14 +13,15 @@ # GNU General Public License at for # more details. -# Usage: getssl [-h|--help] [-d|--debug] [-w working_dir] domain +# Usage: getssl [-h|--help] [-d|--debug] [-c] [-w working_dir] domain # Revision history: # 2016-01-08 Created (v0.1) +# 2016-01-11 type correction and upload to github (v0.2) # --------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="0.1" +VERSION="0.2" # defaults #umask 077 # paranoid umask, as we're creating private keys @@ -33,6 +34,7 @@ DOMAIN_KEY_LENGTH=4096 SSLCONF=/etc/ssl/openssl.cnf RELOAD_CMD="" RENEW_ALLOW="30" +_CREATE_CONFIG=0 clean_up() { # Perform pre-exit housekeeping if [ ! -z $DOMAIN_DIR ]; then @@ -65,7 +67,7 @@ signal_exit() { # Handle trapped signals } usage() { - echo -e "Usage: $PROGNAME [-h|--help] [-d|--debug] [-w working_dir] domain" + echo -e "Usage: $PROGNAME [-h|--help] [-d|--debug] [-c] [-w working_dir] domain" } log() { @@ -185,6 +187,7 @@ help_message() { Options: -h, --help Display this help message and exit. -d, --debug outputs debug information + -c, create default config files -w working_dir working directory Where 'working_dir' is the Working Directory. @@ -240,7 +243,7 @@ DOMAIN_DIR="$WORKING_DIR/$DOMAIN" CERT_FILE="$DOMAIN_DIR/${DOMAIN}.crt" CA_CERT="$DOMAIN_DIR/chain.crt" -if [ _CREATE_CONFIG ]; then +if [ ${_CREATE_CONFIG} -eq 1 ]; then if [ -f "$WORKING_DIR/getssl.cfg" ]; then info "reading main config from existing $WORKING_DIR/getssl.cfg" . $WORKING_DIR/getssl.cfg @@ -560,6 +563,7 @@ copy_file_to_location $CA_CERT $CA_CERT_LOCATION # Run reload command to restart apache / gninx or whatever system if [ ! -z "$RELOAD_CMD" ]; then + info "reloading SSL services" if [[ "${ACL[$dn]:0:4}" == "ssh:" ]] ; then sshhost=$(echo "$RELOAD_CMD"| awk -F: '{print $2}') command=${RELOAD_CMD:(( ${#sshhost} + 5))}