andras-tim/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Config for dehydrated (letsencrypt.sh)

Setup


Clone dehydrated repository into e.g. /opt/git-3th/letsencrypt.sh/
Download this file into /etc/letsencrypt.sh/ directory
Cusomize files


Set CONTACT_EMAIL in config.sh
Set your domains in domains.txt
Set your custom domain specific things in hook.sh


Run first by hand for generate certs: /opt/git-3th/letsencrypt.sh/letsencrypt.sh -c
Wire the previous command into a daily cron


## config.sh
#!/usr/bin/env bash

########################################################
# This is the main config file for letsencrypt.sh      #
#                                                      #
# This file is looked for in the following locations:  #
# $SCRIPTDIR/config.sh (next to this script)           #
# /usr/local/etc/letsencrypt.sh/config.sh              #
# /etc/letsencrypt.sh/config.sh                        #
# ${PWD}/config.sh (in current working-directory)      #
#                                                      #
# Default values of this config are in comments        #
########################################################

# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA="https://acme-v01.api.letsencrypt.org/directory"

# Path to license agreement (default: https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf)
#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

# Which challenge should be used? Currently http-01 and dns-01 are supported
#CHALLENGETYPE="http-01"

# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=

# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
#BASEDIR=$SCRIPTDIR
BASEDIR='/etc/letsencrypt.sh'

# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges)
#WELLKNOWN="${BASEDIR}/.acme-challenges"

# Location of private account key (default: $BASEDIR/private_key.pem)
#PRIVATE_KEY="${BASEDIR}/private_key.pem"

# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"

# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=

# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
HOOK=/etc/letsencrypt.sh/hook.sh

# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"

# Minimum days before expiration to automatically renew certificate (default: 30)
#RENEW_DAYS="30"

# Regenerate private keys instead of just signing new certificates on renewal (default: no)
#PRIVATE_KEY_RENEW="no"

# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=rsa

# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL='FIXME'

# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
#LOCKFILE="${BASEDIR}/lock"

## domains.txt
fixme.foo www.fixme.foo
todo.foo

## hook.sh
#!/usr/bin/env bash

set -e

BASE_DIR="$(dirname "$0")"
CHALLENGE_DIR="${BASE_DIR}/.acme-challenges"
CERT_DIR="/etc/ssl/letsencrypt"


function deploy_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called once for every domain that needs to be
    # validated, including any alternative names you may have listed.
    #
    # Parameters:
    # - DOMAIN
    #   The domain name (CN or subject alternative name) being
    #   validated.
    # - TOKEN_FILENAME
    #   The name of the file containing the token to be served for HTTP
    #   validation. Should be served by your web server as
    #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
    # - TOKEN_VALUE
    #   The token value that needs to be served for validation. For DNS
    #   validation, this is what you want to put in the _acme-challenge
    #   TXT record. For HTTP validation it is the value that is expected
    #   be found in the $TOKEN_FILENAME file.
    case "${DOMAIN}" in
        fixme.foo)   setup_path "/chroot/fixme-foo" ;;
    esac
}

function clean_challenge {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called after attempting to validate each domain,
    # whether or not validation was successful. Here you can delete
    # files or DNS records that are no longer needed.
    #
    # The parameters are the same as for deploy_challenge.
    case "${DOMAIN}" in
        fixme.foo)   clean_path "/chroot/fixme-foo" ;;
    esac
}

function setup_path() {
    local DEST_DIR="$1"

    mkdir -p "${DEST_DIR}/${CHALLENGE_DIR}"
    find "${DEST_DIR}/${BASE_DIR}" -type d -exec chmod 0775 {} \;

    mv "${CHALLENGE_DIR}/${TOKEN_FILENAME}" "${DEST_DIR}/${CHALLENGE_DIR}/"
    chmod 0444 "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}"
}

function clean_path() {
    local DEST_DIR="$1"

    if [ -e "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}" ]
    then
        rm "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}"
    fi
}

function deploy_cert {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

    # This hook is called once for each certificate that has been
    # produced. Here you might, for instance, copy your new certificates
    # to service-specific locations and reload the service.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).
    mkdir -p "${CERT_DIR}"
    chmod 755 "${CERT_DIR}"

    install -o root -g root -m 600 "${KEYFILE}" "${CERT_DIR}/${DOMAIN//[.]/_}.key"
    install -o root -g root -m 644 "${FULLCHAINFILE}" "${CERT_DIR}/${DOMAIN//[.]/_}.pem"

    # RELOAD / RESTART WEBSERVER FOR APPLY CERT CHANGES
}

function unchanged_cert {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

    # This hook is called once for each certificate that is still
    # valid and therefore wasn't reissued.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).
}

HANDLER="$1"; shift
$HANDLER "$@"
	#!/usr/bin/env bash

	########################################################
	# This is the main config file for letsencrypt.sh #
	# #
	# This file is looked for in the following locations: #
	# $SCRIPTDIR/config.sh (next to this script) #
	# /usr/local/etc/letsencrypt.sh/config.sh #
	# /etc/letsencrypt.sh/config.sh #
	# ${PWD}/config.sh (in current working-directory) #
	# #
	# Default values of this config are in comments #
	########################################################

	# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
	#CA="https://acme-v01.api.letsencrypt.org/directory"

	# Path to license agreement (default: https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf)
	#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

	# Which challenge should be used? Currently http-01 and dns-01 are supported
	#CHALLENGETYPE="http-01"

	# Path to a directory containing additional config files, allowing to override
	# the defaults found in the main configuration file. Additional config files
	# in this directory needs to be named with a '.sh' ending.
	# default: <unset>
	#CONFIG_D=

	# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
	#BASEDIR=$SCRIPTDIR
	BASEDIR='/etc/letsencrypt.sh'

	# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges)
	#WELLKNOWN="${BASEDIR}/.acme-challenges"

	# Location of private account key (default: $BASEDIR/private_key.pem)
	#PRIVATE_KEY="${BASEDIR}/private_key.pem"

	# Default keysize for private keys (default: 4096)
	#KEYSIZE="4096"

	# Path to openssl config file (default: <unset> - tries to figure out system default)
	#OPENSSL_CNF=

	# Program or function called in certain situations
	#
	# After generating the challenge-response, or after failed challenge (in this case altname is empty)
	# Given arguments: clean_challenge\|deploy_challenge altname token-filename token-content
	#
	# After successfully signing certificate
	# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
	#
	# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
	# default: <unset>
	HOOK=/etc/letsencrypt.sh/hook.sh

	# Chain clean_challenge\|deploy_challenge arguments together into one hook call per certificate (default: no)
	#HOOK_CHAIN="no"

	# Minimum days before expiration to automatically renew certificate (default: 30)
	#RENEW_DAYS="30"

	# Regenerate private keys instead of just signing new certificates on renewal (default: no)
	#PRIVATE_KEY_RENEW="no"

	# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
	#KEY_ALGO=rsa

	# E-mail to use during the registration (default: <unset>)
	CONTACT_EMAIL='FIXME'

	# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
	#LOCKFILE="${BASEDIR}/lock"
	#!/usr/bin/env bash

	set -e

	BASE_DIR="$(dirname "$0")"
	CHALLENGE_DIR="${BASE_DIR}/.acme-challenges"
	CERT_DIR="/etc/ssl/letsencrypt"


	function deploy_challenge {
	local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

	# This hook is called once for every domain that needs to be
	# validated, including any alternative names you may have listed.
	#
	# Parameters:
	# - DOMAIN
	# The domain name (CN or subject alternative name) being
	# validated.
	# - TOKEN_FILENAME
	# The name of the file containing the token to be served for HTTP
	# validation. Should be served by your web server as
	# /.well-known/acme-challenge/${TOKEN_FILENAME}.
	# - TOKEN_VALUE
	# The token value that needs to be served for validation. For DNS
	# validation, this is what you want to put in the _acme-challenge
	# TXT record. For HTTP validation it is the value that is expected
	# be found in the $TOKEN_FILENAME file.
	case "${DOMAIN}" in
	fixme.foo) setup_path "/chroot/fixme-foo" ;;
	esac
	}

	function clean_challenge {
	local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

	# This hook is called after attempting to validate each domain,
	# whether or not validation was successful. Here you can delete
	# files or DNS records that are no longer needed.
	#
	# The parameters are the same as for deploy_challenge.
	case "${DOMAIN}" in
	fixme.foo) clean_path "/chroot/fixme-foo" ;;
	esac
	}

	function setup_path() {
	local DEST_DIR="$1"

	mkdir -p "${DEST_DIR}/${CHALLENGE_DIR}"
	find "${DEST_DIR}/${BASE_DIR}" -type d -exec chmod 0775 {} \;

	mv "${CHALLENGE_DIR}/${TOKEN_FILENAME}" "${DEST_DIR}/${CHALLENGE_DIR}/"
	chmod 0444 "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}"
	}

	function clean_path() {
	local DEST_DIR="$1"

	if [ -e "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}" ]
	then
	rm "${DEST_DIR}/${CHALLENGE_DIR}/${TOKEN_FILENAME}"
	fi
	}

	function deploy_cert {
	local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

	# This hook is called once for each certificate that has been
	# produced. Here you might, for instance, copy your new certificates
	# to service-specific locations and reload the service.
	#
	# Parameters:
	# - DOMAIN
	# The primary domain name, i.e. the certificate common
	# name (CN).
	# - KEYFILE
	# The path of the file containing the private key.
	# - CERTFILE
	# The path of the file containing the signed certificate.
	# - FULLCHAINFILE
	# The path of the file containing the full certificate chain.
	# - CHAINFILE
	# The path of the file containing the intermediate certificate(s).
	mkdir -p "${CERT_DIR}"
	chmod 755 "${CERT_DIR}"

	install -o root -g root -m 600 "${KEYFILE}" "${CERT_DIR}/${DOMAIN//[.]/_}.key"
	install -o root -g root -m 644 "${FULLCHAINFILE}" "${CERT_DIR}/${DOMAIN//[.]/_}.pem"

	# RELOAD / RESTART WEBSERVER FOR APPLY CERT CHANGES
	}

	function unchanged_cert {
	local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

	# This hook is called once for each certificate that is still
	# valid and therefore wasn't reissued.
	#
	# Parameters:
	# - DOMAIN
	# The primary domain name, i.e. the certificate common
	# name (CN).
	# - KEYFILE
	# The path of the file containing the private key.
	# - CERTFILE
	# The path of the file containing the signed certificate.
	# - FULLCHAINFILE
	# The path of the file containing the full certificate chain.
	# - CHAINFILE
	# The path of the file containing the intermediate certificate(s).
	}

	HANDLER="$1"; shift
	$HANDLER "$@"