Automated installation

heathcliff · November 12, 2015, 5:49pm

Hello,

If I understand correctly, your goal is to have an installer to install the certificate and edit configuration files on apache or nginx.

Well, I don;t need such a thing. It would complicate my life.

I know what a CRT is, I know how to configure my applications for SSL but above all this, I use SSL with several applications, namely apache, nginx, exim AND dovecot.

I do not want to reconfigure any application each and every time a new certificate must be issued/renewed. Ever.

So each and every application is pre-configurated once and for all. They’re all pointing to the same PEM and KEY files in some directory. All I need to do is to symlink those 2 to the real thing.

This method has proven to be extremely fast.

So my first question is: Will it be possible for you to issue a certificate to me and let me install it as I see fit? All I need is the thing. I don’t need any installer. Ever.

My second question is and is an important one. Will the certificate issued be valid for the bare domain and the www subdomain as well?

sogtwinster · November 12, 2015, 7:35pm

So from what I setup on my local, Let’s Encrypt just installs the certs to their own folder /etc/letsencrypt/live/[domain]/cert.pem. The folder also includes the chain.pem and the private key pem files. From there I just configured apache to point to those files.

If I want to renew. I just run the script again and it updates those pem files. I don’t need to do any reconfiguration of apache.

You can use the letsencrypt app without the apache or nginx installers as a standalone and just link the configurations once to the correct pem files.

Also to make the cert valid for both the bare domain and www subdomain, I just included both in the prompt for the domain/s and it put both as SANs on the same cert.

heathcliff · November 12, 2015, 6:05pm

That is excellent, thank you very much for your assistance.

Looking forward to test it.

Kromey · November 12, 2015, 6:20pm

Just to build on that, the files in /etc/letsencrypt/[domain]/live/ are themselves symlinks; the files themselves are not seemingly purged when you renew your certificates (though they might be after some amount of time, I haven’t dug that deeply into the code yet), but the aforementioned links are updated so that they always point to the most current certificates.

Mostly just an academic point, however, as you can either point application configurations directly at the symlinks in the live directory, or even symlink to the symlinks; either way it will work just fine for you, and you never have to be concerned with whether your domain is presently on cert1.pem, or cert401.pem.

One caveat, however: Your applications must begin with root-level permissions in order to access these certificates. If this is not possible for some reason (e.g. the application doesn’t support dropping privileges like Apache and others do), my suggestion is to copy to a directory your application can access, e.g. I do this for my Prosody (XMPP server) setup:
cp /etc/letsencrypt/live/[domain]/fullchain.pem /var/lib/prosody/le_cert/
cp /etc/letsencrypt/live/[domain]/privkey.pem /var/lib/prosody/le_cert/
Will be easily scriptable when I get to the point of automating the whole process (waiting until the beta’s over before I venture into that, hoping for some improvements to how the client operates in the meantime…).

Just make sure that you have strict controls on who can access the files (in my case, both the /var/lib/prosody and le_cert directories have strict 500 permissions (read and “execute”/traversal) and are owned by the prosody user).

mlp · November 12, 2015, 8:55pm

Welcome here!

renchap has written a tutorial to automate certificate renewal for Nginx (even for all your other applications, it will work) : Howto: easy cert generation and renewal with nginx
As you may have noticed, all the files in /etc/letsencrypt/live/domain.tld/ are just symlinks to the files in /etc/letsencrypt/archive/domain.tld/

Whenever the script runs (and generates the certificates), the certs in /etc/letsencrypt/live/domain.tld/ will be replaced, but their name will not change; it makes it perfect for automation, because nothing will need to be reconfigured.

Have fun with letsencrypt!

schoen · November 13, 2015, 7:03am

@mlp, thanks for the clear explanation. As you described, we have a structure that’s pretty similar to what the original poster was asking about and it does not require users to let the client edit their server configuration files.

heathcliff · November 14, 2015, 12:40am

Thanks to all for the encouraging and detailed replies. I was originally told that the configuration files for the web servers would need to be modified by the install scripts. Since it’s obviously false information, there is nothing else preventing me to go on with beta testing phase. I registered for beta; still waiting for a reply.

TTYAL and best regards.

O.T. : want to see a 16 yo french female guitar prodigy?

heathcliff · November 17, 2015, 2:52am

Got approved for the beta.

Installed the client and tried to get the certificates.

Got this error - Error: serverInternal :: The server experienced an internal error :: Error creating new authz

What am I doing wrong?

Command line was - " ./letsencrypt-auto certonly -a manual -d ts-export.com -d www.ts-export.com -d static.ts-export.com --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview"

heathcliff · November 17, 2015, 5:24am

thanks mlp

certificate installed now.

thanks for your help

thanks to renchap tutorial because nginx was very uncooperative