Manual authenticator - way to automate the ACME Challenge file creation?


#1

Right now for letsencrypt client for non-standard Nginx configurations, I am using manual authenticator mode and need to manually create that ACME challenge file in my nginx vhost’s public web root. Full example posted at https://community.centminmod.com/posts/17774/

So manual part is

cd /home/nginx/domains/le1.http2ssl.xyz/public
mkdir -p .well-known/acme-challenge
echo -n '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vnWsLwWKjtO9FauytS7................. etc etc

Is there anyway of automating this for unattended running ? Guess it’s related to https://github.com/letsencrypt/letsencrypt/issues/718

maybe a way to pass the path to web root via the client and create the acme-challeng file ?

./venv/bin/letsencrypt -d domain.com -webroot /home/nginx/domains/domain.com/public auth

Client auto renewals and failure notifications?
#2

Also for passing the webroot via the command line it would help for those sites that have non-standard web roots i.e. frameworks like Laravel would likely have their /path/to/projectname/public as their web root. WHM/Cpanel, Directadmin, Webmin etc all would have their own web root paths.

If you can pass this as a variable in Letsencrypt client probably be easier for respective control panels and distros to come up with their own integration methods ?

Submitted suggestion to issues tracker https://github.com/letsencrypt/letsencrypt/issues/742


#3

Wow Jakub / kuba’s plugin addition fully automated the Letsencrypt client SSL certificate issuing for my Centmin Mod Nginx stack allow you to pass the custom web root path to the authentication https://github.com/letsencrypt/letsencrypt/issues/742#issuecomment-137675158

Bloodly awesome ! @schoen definitely something to merge in !

./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth 

So fully automating non-standard Ubuntu Apache/Nginx setups provided they already have the ssl vhost and web root for their respective domains setup prior !

ls -lah /etc/letsencrypt/live/
total 28K
drwx------ 7 root root 4.0K Sep  4 08:10 .
drwxr-xr-x 8 root root 4.0K Aug 29 07:52 ..
drwxr-xr-x 2 root root 4.0K Aug 29 07:52 le1.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Aug 30 08:07 le2.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 07:53 le3.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 08:07 le4.http2ssl.xyz
drwxr-xr-x 2 root root 4.0K Sep  4 08:10 le4.http2ssl.xyz-0001

ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz
total 8.0K
drwxr-xr-x 2 root root 4.0K Sep  4 08:07 .
drwx------ 7 root root 4.0K Sep  4 08:10 ..
lrwxrwxrwx 1 root root   40 Sep  4 08:07 cert.pem -> ../../archive/le4.http2ssl.xyz/cert1.pem
lrwxrwxrwx 1 root root   41 Sep  4 08:07 chain.pem -> ../../archive/le4.http2ssl.xyz/chain1.pem
lrwxrwxrwx 1 root root   45 Sep  4 08:07 fullchain.pem -> ../../archive/le4.http2ssl.xyz/fullchain1.pem
lrwxrwxrwx 1 root root   43 Sep  4 08:07 privkey.pem -> ../../archive/le4.http2ssl.xyz/privkey1.pem

ls -lah /etc/letsencrypt/live/le4.http2ssl.xyz-0001/
total 8.0K
drwxr-xr-x 2 root root 4.0K Sep  4 08:10 .
drwx------ 7 root root 4.0K Sep  4 08:10 ..
lrwxrwxrwx 1 root root   45 Sep  4 08:10 cert.pem -> ../../archive/le4.http2ssl.xyz-0001/cert1.pem
lrwxrwxrwx 1 root root   46 Sep  4 08:10 chain.pem -> ../../archive/le4.http2ssl.xyz-0001/chain1.pem
lrwxrwxrwx 1 root root   50 Sep  4 08:10 fullchain.pem -> ../../archive/le4.http2ssl.xyz-0001/fullchain1.pem
lrwxrwxrwx 1 root root   48 Sep  4 08:10 privkey.pem -> ../../archive/le4.http2ssl.xyz-0001/privkey1.pem

so all I need to run is a few commands to obtain SSL certificates via Letsencrypt passing my custom web root /home/nginx/domains/le4.http2ssl.xyz/public to the client

nv -d le4.http2ssl.xyz -s y -u FTPusername
./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth
sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.crt|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/fullchain.pem|' /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf
sed -i 's|\/usr\/local\/nginx\/conf\/ssl\/le4.http2ssl.xyz\/le4.http2ssl.xyz.key|\/etc\/letsencrypt\/live\/le4.http2ssl.xyz\/privkey.pem|' /usr/local/nginx/conf/conf.d/le4.http2ssl.xyz.ssl.conf
ngxrestart

So essentially all other control panels would only need to be able to generate their respective site’s SSL vhost for their web servers and auto generate self-signed ssl all prior to running the letsencrypt client in simplefs mode and pass their respective web root paths to the client to get SSL certificates. And then automate the switching of paths to letsencrypt’s SSL certificate and private key paths.


Split "Issuance and Renwal" into Policy and Technical categories