Let's Encrypt cron with acme-tiny
21 Dec 2015So, Let’s Encrypt is awesome, even if the official client is a terrifying beast. I chose to use acme-tiny and this post is a quick HOWTO.
- First, create a directory for challenges in your web root:
mkdir -p /var/www/.well-known/acme-challenge/ - Then, create a
letsencryptuser :adduser --home /var/www/.well-known/acme-challenge/ --shell /bin/sh --no-create-home --disabled-password --disabled-login letsencrypt - Change ownership :
chown letsencrypt acme-challenge - Create
/etc/letsencryptand setup ACL :mkdir /etc/letsencrypt ; setfacl -m u:letsencrypt:rx /etc/letsencrypt - Put your CSR and user key in
/etc/letsencrypt/assite.csranduser.key, set ACL :setfacl -m u:letsencrypt:r /etc/letsencrypt/* - Put acme-tiny somewhere, make it world readable
- Create
/etc/cron.d/letsencrypt:
MAILTO=root
1 1 21 * * letsencrypt umask 033; python /usr/local/acme-tiny/acme_tiny.py --account-key /etc/letsencrypt/user.key --csr /etc/letsencrypt/site.csr --acme-dir /var/www/.well-known/acme-challenge/ > /tmp/site.crt && cat /tmp/site.crt > /etc/ssl/certs/site.crt
10 1 21 * * root service apache2 reload
- test with
su -c 'umask 033; python /usr/local/acme-tiny/acme_tiny.py --account-key /etc/letsencrypt/user.key --csr /etc/letsencrypt/site.csr --acme-dir /var/www/.well-known/acme-challenge/ > /tmp/site.crt && cat /tmp/site.crt > /etc/ssl/certs/site.crt' letsencrypt
Just a caveat, Let’s Encrypt does not easily support challenges over HTTPS, so configure a redirect from http to https :
<VirtualHost *:80>
ServerName syscall.eu
Redirect permanent / https://syscall.eu/
</VirtualHost>