Hi,
I’m using letsencrypt/certbot for managing SSL certificates, and I must say I’m quite happy so far, since everything works nice and this is finally a relatively hassle-free way of getting free certificates.
I have several domains to manage, and each domain often has several subdomains. For the moment, I have one script per domain to automate the process. Here’s an example:
#!/bin/bash
#
# Create/renew SSL/TLS certificates for slackbox.fr.
DOMAIN="slackbox.fr"
DIRNAM="slackbox"
ENCRYPT="/usr/bin/certbot"
CHGRP="/usr/bin/chgrp"
CHMOD="/usr/bin/chmod"
CERTGRP="certs"
EMAIL="info@microlinux.fr"
OPTIONS="certonly \
--preferred-challenges tls-sni-01 \
--email $EMAIL \
--renew-by-default \
--agree-tos \
--text \
--standalone"
# Create $CERTGRP group
if ! grep -q "^$CERTGRP:" /etc/group ; then
groupadd -g 240 $CERTGRP
echo ":: Added $CERTGRP group."
sleep 3
fi
# Stop Apache
echo ":: Stopping Apache."
if ps ax | grep -v grep | grep httpd > /dev/null ; then
/etc/rc.d/rc.httpd stop 1 > /dev/null 2>&1
sleep 5
fi
$ENCRYPT $OPTIONS -d www.$DOMAIN -d $DOMAIN \
--webroot-path /srv/httpd/vhosts/$DIRNAM-secure/htdocs
$ENCRYPT $OPTIONS -d mail.$DOMAIN \
--webroot-path /srv/httpd/vhosts/$DIRNAM-webmail/htdocs
$ENCRYPT $OPTIONS -d compta.$DOMAIN \
--webroot-path /srv/httpd/vhosts/$DIRNAM-dolibarr/htdocs
# Fix permissions
echo ":: Setting permissions."
$CHGRP -R $CERTGRP /etc/letsencrypt
$CHMOD -R g=rx /etc/letsencrypt
# Start Apache
echo ":: Starting Apache."
/etc/rc.d/rc.httpd start
And here’s a similar script for a different domain. Note that I bought these two mainly to play around:
#!/bin/bash
#
# Create/renew SSL/TLS certificates for unixbox.fr.
DOMAIN="unixbox.fr"
DIRNAM="unixbox"
ENCRYPT="/usr/bin/certbot"
CHGRP="/usr/bin/chgrp"
CHMOD="/usr/bin/chmod"
CERTGRP="certs"
EMAIL="info@microlinux.fr"
OPTIONS="certonly \
--preferred-challenges tls-sni-01 \
--email $EMAIL \
--renew-by-default \
--agree-tos \
--text \
--standalone"
# Create $CERTGRP group
if ! grep -q "^$CERTGRP:" /etc/group ; then
groupadd -g 240 $CERTGRP
echo ":: Added $CERTGRP group."
sleep 3
fi
# Stop Apache
echo ":: Stopping Apache."
if ps ax | grep -v grep | grep httpd > /dev/null ; then
/etc/rc.d/rc.httpd stop 1 > /dev/null 2>&1
sleep 5
fi
$ENCRYPT $OPTIONS -d www.$DOMAIN -d $DOMAIN \
--webroot-path /srv/httpd/vhosts/$DIRNAM-secure/htdocs
$ENCRYPT $OPTIONS -d mail.$DOMAIN \
--webroot-path /srv/httpd/vhosts/$DIRNAM-webmail/htdocs
# Fix permissions
echo ":: Setting permissions."
$CHGRP -R $CERTGRP /etc/letsencrypt
$CHMOD -R g=rx /etc/letsencrypt
# Start Apache
echo ":: Starting Apache."
/etc/rc.d/rc.httpd start
I simply put these scripts in /etc/cron.monthly on my server, and certificates are renewed every month. So far I’ve only been using SSL certificates for HTTPS, and this works fine.
For the last few days I’ve been experimenting with using these certificates for my mail server with Postfix and Dovecot. I’ve managed to get it to work perfectly, but I’ve come to a roadblock, because Postfix won’t let me configure different SSL certificates for different domains.
Here’s a very vague idea, and I confess I’m in new territories. here. Currently certificates are all stored under /etc/letsencrypt/live, in a series of directories, one per domain and/or subdomain. Here’s what this looks like on my sandbox server:
# ls -1 /etc/letsencrypt/live/
compta.slackbox.fr
mail.slackbox.fr
mail.unixbox.fr
www.slackbox.fr
www.unixbox.fr
And here comes the question (finally). Is it possible to bundle up all my certificate files on the server into one big file bundle that I could put in /etc/letsencrypt/live/bundle/ or a similar custom location?
Cheers from the sunny South of France,
Niki