summaryrefslogtreecommitdiff
path: root/letsencrypt-helpers
diff options
context:
space:
mode:
Diffstat (limited to 'letsencrypt-helpers')
-rw-r--r--letsencrypt-helpers/README23
-rwxr-xr-xletsencrypt-helpers/acme2
-rwxr-xr-xletsencrypt-helpers/make-apache-crt39
-rwxr-xr-xletsencrypt-helpers/new-csr38
-rwxr-xr-xletsencrypt-helpers/new-key22
-rwxr-xr-xletsencrypt-helpers/renew-as-required40
-rwxr-xr-xletsencrypt-helpers/request-letsencrypt29
-rwxr-xr-xletsencrypt-helpers/vhost-step-118
-rwxr-xr-xletsencrypt-helpers/vhost-step-217
9 files changed, 228 insertions, 0 deletions
diff --git a/letsencrypt-helpers/README b/letsencrypt-helpers/README
new file mode 100644
index 0000000..f33a31c
--- /dev/null
+++ b/letsencrypt-helpers/README
@@ -0,0 +1,23 @@
+
+Requirements:
+
+o This assume that acme-tiny is cloned to ~/acme-tiny
+o Furthermore, that there is a ~/acme-challenge and that is aliased in apache:
+ | Alias "/.well-known/acme-challenge" "/srv/letsencrypt/acme-challenge"
+o Also, we want an account key in ~:
+ (umask 277 && ! [ -e account.key ] && openssl genrsa 4096 > account.key)
+o And you want the letsencrypt chain file letsencryptauthorityx1.pem
+ in ~/certs/extra
+o Optionally, a dh file in ~/certs/extra/dh-4096.pem
+ openssl dhparam -out ~/certs/extra/dh-4096.pem 4096
+o And you want this bin directory in PATH for your letsencrypt role user.
+
+
+Usage:
+ o vhost-step-1 creates a new key, a new csr, and creates a .crt file
+ o After that, enable your new vhost
+ o vhost-step-2 then does the letsencrypt challenge stuff, and updates the .crt file
+
+Continued maintenance:
+ o run renew-as-required from cron, probably using chronic.
+
diff --git a/letsencrypt-helpers/acme b/letsencrypt-helpers/acme
new file mode 100755
index 0000000..6a148d9
--- /dev/null
+++ b/letsencrypt-helpers/acme
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec python ~/acme-tiny/acme_tiny.py "$@"
diff --git a/letsencrypt-helpers/make-apache-crt b/letsencrypt-helpers/make-apache-crt
new file mode 100755
index 0000000..8c7eb09
--- /dev/null
+++ b/letsencrypt-helpers/make-apache-crt
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+set -u
+
+cd ~/certs
+
+if [ "$#" != 1 ]; then
+ echo >&2 "Usage: $0 <fqdn>"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+if ! [ -e "$cn.key" ] ; then
+ echo >&2 "$cn.key does not exist."
+ exit 1
+fi
+
+if [ -e "$cn-letsencrypt.pem" ] ; then
+ pem="$cn-letsencrypt.pem"
+ chain="extra/letsencryptauthorityx1.pem"
+elif [ -e "$cn-selfsigned.pem" ] ; then
+ pem="$cn-selfsigned.pem"
+ chain=""
+ echo >&2 "Warning: only selfsigned cert available for $cn."
+else
+ echo >&2 "Error: no cert available for $cn."
+ exit 1
+fi
+
+(
+cat "$pem"
+if [ -n "$chain" ]; then
+cat "$chain"
+if [ -e extra/dh-4096.pem ]; then cat extra/dh-4096.pem; fi
+fi
+) > $cn-apache.crt
diff --git a/letsencrypt-helpers/new-csr b/letsencrypt-helpers/new-csr
new file mode 100755
index 0000000..7275573
--- /dev/null
+++ b/letsencrypt-helpers/new-csr
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e
+set -u
+
+cd ~/certs
+
+if [ "$#" = 0 ]; then
+ echo >&2 "Usage: $0 <fqdn> [..]"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+if ! [ -e "$cn.key" ] ; then
+ echo >&2 "$cn.key does not exist."
+ exit 1
+fi
+
+if [ "$#" = 0 ]; then
+ openssl req -new -sha256 -key "$cn.key" -subj "/CN=$cn" -out "$cn.csr"
+ openssl x509 -req -days 365 -in "$cn.csr" -signkey "$cn.key" -out "$cn-selfsigned.pem"
+else
+ tmp="`tempfile`"
+ trap "rm -f '$tmp'" EXIT
+ (
+ cat /etc/ssl/openssl.cnf
+ echo "[SAN]"
+ echo -n "subjectAltName=DNS:$cn"
+ for i in "$@"; do
+ echo -n ",DNS:$i"
+ done
+ echo
+ ) > "$tmp"
+ openssl req -new -sha256 -key "$cn.key" -subj "/" -reqexts SAN -config "$tmp" -out "$cn.csr"
+ openssl x509 -req -days 365 -in "$cn.csr" -signkey "$cn.key" -extensions SAN -extfile "$tmp" -out "$cn-selfsigned.pem"
+fi
diff --git a/letsencrypt-helpers/new-key b/letsencrypt-helpers/new-key
new file mode 100755
index 0000000..0b054f2
--- /dev/null
+++ b/letsencrypt-helpers/new-key
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+set -u
+
+cd ~/certs
+
+if [ "$#" != 1 ]; then
+ echo >&2 "Usage: $0 <fqdn>"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+if [ -e "$cn.key" ] ; then
+ echo >&2 "$cn.key already exists."
+ exit 1
+fi
+
+umask 0077
+openssl genrsa -out "$cn.key" 4096
diff --git a/letsencrypt-helpers/renew-as-required b/letsencrypt-helpers/renew-as-required
new file mode 100755
index 0000000..0b404e4
--- /dev/null
+++ b/letsencrypt-helpers/renew-as-required
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# renew all certs in ~/certs that match *-letsencrypt.pem
+# probably want to run this under chronic.
+
+set -e
+set -u
+
+cd ~/certs
+expire_time=$(( 3600 * 24 * 7 * 3 ))
+err=0
+
+for i in *-letsencrypt.pem; do
+ echo "=== $i ==="
+ if openssl x509 -checkend "$expire_time" -noout < "$i"; then
+ echo "$i is current."
+ else
+ cn="${i%-letsencrypt.pem}"
+ if [ "$cn" = "$i" ]; then
+ echo >&2 "Cannot figure out hostname for $i."
+ err=1
+ continue
+ fi
+ echo "Need to renew $cn"
+ if ! request-letsencrypt "$cn"; then
+ echo >&2 "Letsencrypt request for $cn failed."
+ err=1
+ continue
+ fi
+ if ! make-apache-crt "$cn"; then
+ echo >&2 "make-apache-crt for $cn failed."
+ err=1
+ continue
+ fi
+ fi
+ echo
+done
+
+# cron daily will run logrotate which will reload apache anyway
+exit $err
diff --git a/letsencrypt-helpers/request-letsencrypt b/letsencrypt-helpers/request-letsencrypt
new file mode 100755
index 0000000..c63f973
--- /dev/null
+++ b/letsencrypt-helpers/request-letsencrypt
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+set -u
+
+cd ~/certs
+
+if [ "$#" != 1 ]; then
+ echo >&2 "Usage: $0 <fqdn>"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+if ! [ -e "$cn.csr" ] ; then
+ echo >&2 "$cn.csr does not exist."
+ exit 1
+fi
+
+tmp="`tempfile`"
+trap "rm -f '$tmp'" EXIT
+
+echo $PATH
+acme --account-key ~/account.key --csr "$cn".csr --acme-dir ~/acme-challenge/ > "$tmp"
+if [ -e "$cn-letsencrypt.pem" ]; then
+ savelog "$cn-letsencrypt.pem"
+fi
+cp "$tmp" "$cn-letsencrypt.pem"
diff --git a/letsencrypt-helpers/vhost-step-1 b/letsencrypt-helpers/vhost-step-1
new file mode 100755
index 0000000..1549d3b
--- /dev/null
+++ b/letsencrypt-helpers/vhost-step-1
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+set -u
+
+if [ "$#" != 1 ]; then
+ echo >&2 "Usage: $0 <fqdn>"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+new-key "$cn"
+new-csr "$cn"
+make-apache-crt "$cn"
+echo "Enable vhost and "
+echo " service apache2 reload"
diff --git a/letsencrypt-helpers/vhost-step-2 b/letsencrypt-helpers/vhost-step-2
new file mode 100755
index 0000000..7ddc2e6
--- /dev/null
+++ b/letsencrypt-helpers/vhost-step-2
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+set -u
+
+if [ "$#" != 1 ]; then
+ echo >&2 "Usage: $0 <fqdn>"
+ exit 1
+fi
+
+cn="$1"
+shift
+
+request-letsencrypt "$cn"
+make-apache-crt "$cn"
+echo "Now"
+echo " service apache2 reload"