[updated]Simplest pure bash letsencrypt client, support standalone server now


#1

Single pure bash script for letsencrypt client.

No dependencies to python or letsencrypt official client. Just pure shell.

One command to issue and renew cert automatically:

===============================

le   issue   /home/wwwroot/aa.com   aa.com  www.aa.com,www2.aa.com

or, use standalone mode:

le   issue  no   aa.com    www.aa.com,www2.aa.com

Your cert will be issued and renewed automatically every 50 days.

More info: https://github.com/Neilpang/le


Multi-webroot and multi-domain certificate locations on disk
Letsencrypt-auto certonly fails with KeyError: 'webroot'
I am trying to auto update keys via cron
I can't create a let's encrypt certificate/key pair in CentOS 7 with Apache!
#2

That’s not pure bash – you still depend on bash itself, OpenSSL, cURL, Vim, openbsd-netcat (doesn’t work with gnu-netcat), not to mention hardcoding CentOS-specific knowledge in it… It barely parses HTTP responses with sed & grep, and you’re doing dangerous things like killall -9 nc which can kill unrelated stuff that the sysadmin is running.

On the one hand, I do like tools which are light on dependencies (and the official client sure needs a lot).

On the other hand, this is a thing that has to be run unattended every month, so I’d definitely take “reliable” over “light”. There already are better clients with no dependencies, e.g. acmetool in Golang (which only requires libcap & libattr).

Suggestions:

  • Stop putting things in /bin without permission. (Well, if you must, there’s /usr/local/bin.)
  • Don’t use /home/.acme, that’s what /etc is for (or sometimes /var/lib).
  • Don’t put the certs in the user’s home directory, use /etc or /var/lib again. (Services accessing /home can cause various problems, especially when SELinux, AppArmor, NFS, AFS are involved.)
  • Improve the command line usage – use options (e.g. while getopts...) instead of the current “some value | no” positional parameters.

#3

Thanks for your advices.

  1. Will move to /usr/local/bin soon.
  2. Use home dir means the user doesn’t have to be root.
  3. Put certs in home dir, also keeps the user away from a root.
  4. Not using “getopts” just because I want to make it as simple as possible. Just a few parameters, all the things are done.

#4

@Neilpang thanks for the hard work. I started playing with le.sh and it fits in very well with my Centmin Mod LEMP stack nginx HTTP/2 vhost generator/installer so started integrating it into my LEMP stack routines as an optional letsencrypt client besides the official letsencrypt client https://community.centminmod.com/posts/25226/ and probably be using it for <768MB VPS environments where the official client still has some memory limit problems https://github.com/letsencrypt/letsencrypt/issues/1081 :slight_smile:

Love the CentOS centric specific structure for some stuff as all my LEMP stack is for CentOS 6/7 :slightly_smiling: