RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Updating documentation

pull/43/head
srvrco 10 years ago
parent
de5bd186eb
commit
aadd7f0199
1 changed files with 41 additions and 36 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +41
    -36
      README.md

+ 41
- 36
README.md View File

@ -1,7 +1,7 @@
# getssl
Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers.
Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers.
This was written in standard bash ( so can be run on a server, a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access).
This was written in standard bash ( so can be run on a server, a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access).
```
getssl ver. 0.42
@ -20,6 +20,31 @@ Options:
-w working_dir Working directory
```
## Features
* **Bash** - so it runs on most linux machines.
* **Get certificates for remote servers** - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, as it's a shared server for example.
* **Runs as a daily cron** - so certificates will be automatically renewed when required.
* **Automatic certificate renewals**
* **Checks certificates are correctly loaded**. After installation of a new certificate it will test the port specified ( typically https / 443) that the certificate is actually being used correctly.
* **Automatically updates** - The script can automatically update itself with bug fixes etc if required.
* **Extensively configurable** - With a simple configuration file for each certificate it is possible to configure it exactly for your needs, whether a simple single domain or multiple domains across multiple servers on the same certificate.
* **Supports http and dns challenges** - Full ACME implementation
* **Simple and easy to use**
* **Detailed debug info** - Whilst it shouldn't be needed, detailed debug information is available.
* **Reload services** - After a new certificate is obtained then the relevant services (e.g. apache/nginx/postfix) can be reloaded.
## Instalation
Since the script is only one file, you can use the command
```
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
```
Which will copy the getssl bash script to the current location and change the permission sto make it executable for you.
Alternative you can use git
```
git clone git@github.com:srvrco/getssl.git
```
## Structure
The design aim was to provide flexibility in running the code. The default working directory is ~/.getssl ( which can be modified via the command line)
@ -36,29 +61,16 @@ CA="https://acme-staging.api.letsencrypt.org"
AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
# Set an email address associated with your account - generally set at account level rather than domain.
#ACCOUNT_EMAIL="me@example.com"
ACCOUNT_EMAIL="me@example.com"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/andy/.getssl/account.key"
ACCOUNT_KEY="/home/me/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
# The command needed to reload apache / nginx or whatever you use
#RELOAD_CMD=""
# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
# Define the server type. If it's a "webserver" then the main website will be checked for certificate expiry
# and also will be checked after an update to confirm correct certificate is running.
#SERVER_TYPE="webserver"
# openssl config file. The default should work in most cases.
SSLCONF="/usr/lib/ssl/openssl.cnf"
# Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS="true"
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=
# If your DNS-server needs extra time to make sure your DNS changes are readable by the ACME-server (time in seconds)
#DNS_EXTRA_WAIT=60
```
then, within the **working directory** there will be a folder for each certificate (based on it's domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is;
@ -116,29 +128,21 @@ RELOAD_CMD="service apache2 reload"
#DNS_EXTRA_WAIT=60
```
if a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path.
files will be copied using scp, and it assumes that you have a key on the server ( for passwordless access). You can set the user, port etc for the server in your .ssh/config file
If a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path.
Files will be securely copied using scp, and it assumes that you have a key on the server ( for passwordless access). You can set the user, port etc for the server in your .ssh/config file
if an ACL starts with ftp: or sftp: it as assumed that the line is in the format "ftp:UserID:Password:someserver.com:/path/to/acme-challenge". sftp requires sshpass.
Note: FTP can not be used for uploading private key or certificates as it's not a secure method of transfer.
If an ACL starts with ftp: or sftp: it as assumed that the line is in the format "ftp:UserID:Password:servername:/path/to/acme-challenge". sftp requires sshpass.
Note: FTP can be used for copying tokens only and can **not** be used for uploading private key or certificates as it's not a secure method of transfer.
ssh can also be used for the reload command if using on remote servers.
ssh can also be used for the reload command if using on remote servers.
## Getting started
First you need to download the script. You can either use git, or simply
Once you have obtained the script (see Installation above), the next step is to use
```
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
```
Once downloaded, the next step is to use
```
./getssl -c yourdomain.com
```
```./getssl -c yourdomain.com```
where yourdomain.com is the primary domain name that you want to create a certificate for. This will create
where yourdomain.com is the primary domain name that you want to create a certificate for. This will create the following folders and files.
```
~/.getssl
@ -147,8 +151,9 @@ where yourdomain.com is the primary domain name that you want to create a certif
~/.getssl/yourdomain.com/getssl.cfg
```
You can then edit ~/.getssl/getssl.cfg to have the values you want as the default for the majority of your certificates.
Edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain.
You can then edit ~/.getssl/getssl.cfg to set the values you want as the default for the majority of your certificates.
Then edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain.
You can then just run;
@ -181,4 +186,4 @@ I use the following cron
```
23 5 * * * /root/scripts/getssl -u -a -q
```
The cron will update getssl if there are any more recent versions available (the -u flag). The -a flag automatically renews any certificates that are due for renewal. I use the -q flag so that it only outputs and emails me if any certificates were updated, or there was an error / issue.
The cron will update getssl if there is a more recent version available (the -u flag). The -a flag automatically renews any certificates that are due for renewal. I use the -q flag so that it only outputs and emails me if any certificates were updated, or there was an error / issue.

Write Preview
Loading…
Cancel
Save