From 0da8acf8974c5d51fd84291091d1f7a1fd8c1176 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Thu, 31 Dec 2015 10:22:24 +0100 Subject: letsencrypt-helpers --- letsencrypt-helpers/README | 23 +++++++++++++++++++ letsencrypt-helpers/acme | 2 ++ letsencrypt-helpers/make-apache-crt | 39 ++++++++++++++++++++++++++++++++ letsencrypt-helpers/new-csr | 38 +++++++++++++++++++++++++++++++ letsencrypt-helpers/new-key | 22 ++++++++++++++++++ letsencrypt-helpers/renew-as-required | 40 +++++++++++++++++++++++++++++++++ letsencrypt-helpers/request-letsencrypt | 29 ++++++++++++++++++++++++ letsencrypt-helpers/vhost-step-1 | 18 +++++++++++++++ letsencrypt-helpers/vhost-step-2 | 17 ++++++++++++++ 9 files changed, 228 insertions(+) create mode 100644 letsencrypt-helpers/README create mode 100755 letsencrypt-helpers/acme create mode 100755 letsencrypt-helpers/make-apache-crt create mode 100755 letsencrypt-helpers/new-csr create mode 100755 letsencrypt-helpers/new-key create mode 100755 letsencrypt-helpers/renew-as-required create mode 100755 letsencrypt-helpers/request-letsencrypt create mode 100755 letsencrypt-helpers/vhost-step-1 create mode 100755 letsencrypt-helpers/vhost-step-2 diff --git a/letsencrypt-helpers/README b/letsencrypt-helpers/README new file mode 100644 index 0000000..f33a31c --- /dev/null +++ b/letsencrypt-helpers/README @@ -0,0 +1,23 @@ + +Requirements: + +o This assume that acme-tiny is cloned to ~/acme-tiny +o Furthermore, that there is a ~/acme-challenge and that is aliased in apache: + | Alias "/.well-known/acme-challenge" "/srv/letsencrypt/acme-challenge" +o Also, we want an account key in ~: + (umask 277 && ! [ -e account.key ] && openssl genrsa 4096 > account.key) +o And you want the letsencrypt chain file letsencryptauthorityx1.pem + in ~/certs/extra +o Optionally, a dh file in ~/certs/extra/dh-4096.pem + openssl dhparam -out ~/certs/extra/dh-4096.pem 4096 +o And you want this bin directory in PATH for your letsencrypt role user. + + +Usage: + o vhost-step-1 creates a new key, a new csr, and creates a .crt file + o After that, enable your new vhost + o vhost-step-2 then does the letsencrypt challenge stuff, and updates the .crt file + +Continued maintenance: + o run renew-as-required from cron, probably using chronic. + diff --git a/letsencrypt-helpers/acme b/letsencrypt-helpers/acme new file mode 100755 index 0000000..6a148d9 --- /dev/null +++ b/letsencrypt-helpers/acme @@ -0,0 +1,2 @@ +#!/bin/sh +exec python ~/acme-tiny/acme_tiny.py "$@" diff --git a/letsencrypt-helpers/make-apache-crt b/letsencrypt-helpers/make-apache-crt new file mode 100755 index 0000000..8c7eb09 --- /dev/null +++ b/letsencrypt-helpers/make-apache-crt @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e +set -u + +cd ~/certs + +if [ "$#" != 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi + +cn="$1" +shift + +if ! [ -e "$cn.key" ] ; then + echo >&2 "$cn.key does not exist." + exit 1 +fi + +if [ -e "$cn-letsencrypt.pem" ] ; then + pem="$cn-letsencrypt.pem" + chain="extra/letsencryptauthorityx1.pem" +elif [ -e "$cn-selfsigned.pem" ] ; then + pem="$cn-selfsigned.pem" + chain="" + echo >&2 "Warning: only selfsigned cert available for $cn." +else + echo >&2 "Error: no cert available for $cn." + exit 1 +fi + +( +cat "$pem" +if [ -n "$chain" ]; then +cat "$chain" +if [ -e extra/dh-4096.pem ]; then cat extra/dh-4096.pem; fi +fi +) > $cn-apache.crt diff --git a/letsencrypt-helpers/new-csr b/letsencrypt-helpers/new-csr new file mode 100755 index 0000000..7275573 --- /dev/null +++ b/letsencrypt-helpers/new-csr @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e +set -u + +cd ~/certs + +if [ "$#" = 0 ]; then + echo >&2 "Usage: $0 [..]" + exit 1 +fi + +cn="$1" +shift + +if ! [ -e "$cn.key" ] ; then + echo >&2 "$cn.key does not exist." + exit 1 +fi + +if [ "$#" = 0 ]; then + openssl req -new -sha256 -key "$cn.key" -subj "/CN=$cn" -out "$cn.csr" + openssl x509 -req -days 365 -in "$cn.csr" -signkey "$cn.key" -out "$cn-selfsigned.pem" +else + tmp="`tempfile`" + trap "rm -f '$tmp'" EXIT + ( + cat /etc/ssl/openssl.cnf + echo "[SAN]" + echo -n "subjectAltName=DNS:$cn" + for i in "$@"; do + echo -n ",DNS:$i" + done + echo + ) > "$tmp" + openssl req -new -sha256 -key "$cn.key" -subj "/" -reqexts SAN -config "$tmp" -out "$cn.csr" + openssl x509 -req -days 365 -in "$cn.csr" -signkey "$cn.key" -extensions SAN -extfile "$tmp" -out "$cn-selfsigned.pem" +fi diff --git a/letsencrypt-helpers/new-key b/letsencrypt-helpers/new-key new file mode 100755 index 0000000..0b054f2 --- /dev/null +++ b/letsencrypt-helpers/new-key @@ -0,0 +1,22 @@ +#!/bin/sh + +set -e +set -u + +cd ~/certs + +if [ "$#" != 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi + +cn="$1" +shift + +if [ -e "$cn.key" ] ; then + echo >&2 "$cn.key already exists." + exit 1 +fi + +umask 0077 +openssl genrsa -out "$cn.key" 4096 diff --git a/letsencrypt-helpers/renew-as-required b/letsencrypt-helpers/renew-as-required new file mode 100755 index 0000000..0b404e4 --- /dev/null +++ b/letsencrypt-helpers/renew-as-required @@ -0,0 +1,40 @@ +#!/bin/sh + +# renew all certs in ~/certs that match *-letsencrypt.pem +# probably want to run this under chronic. + +set -e +set -u + +cd ~/certs +expire_time=$(( 3600 * 24 * 7 * 3 )) +err=0 + +for i in *-letsencrypt.pem; do + echo "=== $i ===" + if openssl x509 -checkend "$expire_time" -noout < "$i"; then + echo "$i is current." + else + cn="${i%-letsencrypt.pem}" + if [ "$cn" = "$i" ]; then + echo >&2 "Cannot figure out hostname for $i." + err=1 + continue + fi + echo "Need to renew $cn" + if ! request-letsencrypt "$cn"; then + echo >&2 "Letsencrypt request for $cn failed." + err=1 + continue + fi + if ! make-apache-crt "$cn"; then + echo >&2 "make-apache-crt for $cn failed." + err=1 + continue + fi + fi + echo +done + +# cron daily will run logrotate which will reload apache anyway +exit $err diff --git a/letsencrypt-helpers/request-letsencrypt b/letsencrypt-helpers/request-letsencrypt new file mode 100755 index 0000000..c63f973 --- /dev/null +++ b/letsencrypt-helpers/request-letsencrypt @@ -0,0 +1,29 @@ +#!/bin/sh + +set -e +set -u + +cd ~/certs + +if [ "$#" != 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi + +cn="$1" +shift + +if ! [ -e "$cn.csr" ] ; then + echo >&2 "$cn.csr does not exist." + exit 1 +fi + +tmp="`tempfile`" +trap "rm -f '$tmp'" EXIT + +echo $PATH +acme --account-key ~/account.key --csr "$cn".csr --acme-dir ~/acme-challenge/ > "$tmp" +if [ -e "$cn-letsencrypt.pem" ]; then + savelog "$cn-letsencrypt.pem" +fi +cp "$tmp" "$cn-letsencrypt.pem" diff --git a/letsencrypt-helpers/vhost-step-1 b/letsencrypt-helpers/vhost-step-1 new file mode 100755 index 0000000..1549d3b --- /dev/null +++ b/letsencrypt-helpers/vhost-step-1 @@ -0,0 +1,18 @@ +#!/bin/sh + +set -e +set -u + +if [ "$#" != 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi + +cn="$1" +shift + +new-key "$cn" +new-csr "$cn" +make-apache-crt "$cn" +echo "Enable vhost and " +echo " service apache2 reload" diff --git a/letsencrypt-helpers/vhost-step-2 b/letsencrypt-helpers/vhost-step-2 new file mode 100755 index 0000000..7ddc2e6 --- /dev/null +++ b/letsencrypt-helpers/vhost-step-2 @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e +set -u + +if [ "$#" != 1 ]; then + echo >&2 "Usage: $0 " + exit 1 +fi + +cn="$1" +shift + +request-letsencrypt "$cn" +make-apache-crt "$cn" +echo "Now" +echo " service apache2 reload" -- cgit v1.2.3