RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
14 Branches
15 MiB
 
 
 
 
 
 
Tree: 8e343d0603
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8e343d0603'
${ noResults }
 ZIP  TAR.GZ
srvrco 8e343d0603 updating readme format 10 years ago
LICENSE Initial commit 10 years ago
README.md updating readme format 10 years ago
getssl updating readme and typos for ver 0.2 10 years ago

README.md

getssl

get an SSL certificate via LetsEncryot. Suitable for automating the process in remote servers.

This was written as an addition to checkssl for servers to automatically renew certifictes. In addition it allows the running of this script in standard bash ( on a desktop computer, or even virtualbox) and add the checks, and certificates to a remote server ( providing you have an ssh key on the remote server with access). Potentially I can include FTP as an option for uploading as well.

getssl ver. 0.1 To obtain a letsencrypt SSL cert

Usage: getssl [-h|--help] [-d|--debug] [-c] [-w working_dir] domain

Options: -h, --help Display this help message and exit. -d, --debug outputs debug information -c, Create default config files -w working_dir working directory Where 'working_dir' is the Working Directory.

Structure

The design aim was to provide flexibility in running the code. The default working directory is ~/.getssl ( which can be modified via the command line)

Within the working directory is a config file, getssl.cfg which is a simple bash file containing variables, an example of which is

# uncomment and modify any variables you need
# The staging server is best for testing
CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v01.api.letsencrypt.org"

AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

#set an email address associated with your account 
ACCOUNT_EMAIL="me@example.com"
ACCOUNT_KEY_LENGTH=4096

#The default directory for all your certs to be stored within ( in subdirectories by domain name ) 
WORKING_DIR=~/.getssl

# the command needed to reload apache / gninx or whatever you use
#RELOAD_CMD=""
#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. 
RENEW_ALLOW="30"`

then, within the working directory there will be a folder for each certificate (based on it's domain name). Within that folder will be a config file (again called getssl.cfg). An example of which is;

# uncomment and modify any variables you need
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v01.api.letsencrypt.org"

#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

#set an email address associated with your account - generally set at account level rather than domain. 
#ACCOUNT_EMAIL="me@example.com"
#ACCOUNT_KEY_LENGTH=4096

# additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.testdomain.com

#Acme Challenge Location.   The first line for the domain, the following ones for each additional domain
#if these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
#an ssh key will be needed to provide you with access to the remote server.
#ACL=('/var/www/testdomain.com/web/.well-known/acme-challenge'
#     'ssh:server5:/var/www/testdomain.com/web/.well-known/acme-challenge')

# location for all your certs these can either be on the server ( so full path name) or using ssh as for the ACL
#DOMAIN_CERT_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.crt"
#DOMAIN_KEY_LOCATION="ssh:server5:/home/domain/public_html/.well-known/acme-challenge/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
# the command needed to reload apache / gninx or whatever you use
#RELOAD_CMD="ssh:server5:service apache2 reload"
#The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits. 
#RENEW_ALLOW="30"`

if a location for a file starts with ssh: it is assumed the next part of the file is the hostname, followed by a colon, and then the path. files will be copied using scp, and it assumes that you have a key on the server ( for passwordless access). You can set the user, port etc for the server in your .ssh/config file

ssh can also be used for the reload command if using on remote servers.

Getting started

The easiest way to get started is to use

getssl -c yourdomain.com

where yourdomain.com is the primary domain name that you want to create a certificate for. This will create

~/.getssl ~/.getssl/getssl.cfg ~/.getssl/yourdomain.com ~/.getssl/yourdomain.com/getssl.cfg

You can then edit ~/.getssl/getssl.cfg to have the values you want as the default for the majority of your certificates. Edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you want for this specific domain.

You can then just run;

getssl yourdomain.com

and it should run, providing output like; Registering account Verify each domain Verifing yourdomain.com Verified yourdomain.com Verifing www.yourdomain.com Verified www.yourdomain.com Verification completed, obtaining certificate. Certificate saved in /home/user/.getssl/yourdomain.com/yourdomain.com.crt The intermediate CA cert is in /home/andy/.getssl/yourdomain.com/chain.crt copying domain certificate to ssh:server5:/home/yourdomain/ssl/domain.crt copying private key to ssh:server5:/home/yourdomain/ssl/domain.key copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt reloading SSL services