Skip to content

Instantly share code, notes, and snippets.

@haiyon

haiyon/acme.sh

Last active December 20, 2024 06:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save haiyon/66f9867772498d0c019df06f65af514f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save haiyon/66f9867772498d0c019df06f65af514f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
acme.sh
#!/bin/bash
set -e
# Add acme user if not exists
if ! id "acme" &>/dev/null; then
echo "Creating acme user..."
sudo useradd -r -m -d /var/lib/acme -s /usr/sbin/nologin acme
sudo chmod 700 /var/lib/acme
else
echo "User acme already exists, skipping creation..."
fi
# Set up public certs directory with appropriate permissions
sudo install -d -m 710 -o acme -g www-data /etc/certs
# Create webroot directory for HTTP validation
sudo install -d -m 755 -o www-data -g www-data /var/www/acme-challenge
# Configure Nginx for ACME challenge
sudo cat > /etc/nginx/conf.d/acme.conf << 'EOF'
# Global ACME challenge configuration
location ^~ /.well-known/acme-challenge/ {
root /var/www/acme-challenge;
default_type text/plain;
allow all;
}
# Deny access to .well-known any other way
location = /.well-known/acme-challenge/ {
return 404;
}
EOF
# Test and reload Nginx configuration
if sudo nginx -t &>/dev/null; then
sudo systemctl reload nginx
echo "Nginx configuration reloaded successfully"
else
echo "ERROR: Nginx configuration test failed"
exit 1
fi
# Install acme.sh as acme user
sudo -s -u acme
bash -c '
cd ~
curl https://get.acme.sh | sh -s email=my@example.com
. ~/.acme.sh/acme.sh.env
# Configure acme.sh defaults
acme.sh --set-default-ca --server letsencrypt
acme.sh --update-account --server letsencrypt
acme.sh --set-default-chain-mode --preferred-chain "ISRG Root X1"
acme.sh --upgrade --auto-upgrade
'
# Example commands (commented out)
: '
# 1. Issue cert using DNS API (Cloudflare example)
export CF_Token="YOUR_API_TOKEN"
export CF_Account_ID="YOUR_ACCOUNT_ID"
sudo -s -u acme
cd ~
acme.sh --issue \
--dns dns_cf \
--ecc \
-d domain.com \
-d *.domain.com
# 2. Issue cert using HTTP validation (webroot)
sudo -s -u acme
cd ~
acme.sh --issue \
--webroot /var/www/acme-challenge \
--ecc \
-d domain.com
# Install the issued certificate
sudo -s -u acme
cd ~
acme.sh --install-cert -d domain.com \
--key-file /etc/certs/domain.com.key \
--fullchain-file /etc/certs/domain.com.fullchain.cer \
--reloadcmd "systemctl reload nginx" \
--ecc
# Nginx SSL configuration example
cat > /etc/nginx/conf.d/domain.com.conf << '"'"'EOF'"'"'
server {
listen 80;
server_name domain.com;
# Redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name domain.com;
# SSL certificate paths
ssl_certificate /etc/certs/domain.com.fullchain.cer;
ssl_certificate_key /etc/certs/domain.com.key;
# SSL session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (uncomment after verifying everything works)
# add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Basic site configuration
root /var/www/domain.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
EOF
# Test and reload Nginx
nginx -t && systemctl reload nginx
'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment