Letsencrypt auto renewal

Nick Boltjes -

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
It is a service provided by the Internet Security Research Group.

How to enable the use of Letsencrypt certificates on your site and for TLS support in Postfix will be added soon

Update

Things work way faster by using certbot.
The software is to be found in all major Linux distro repositories.
Instead of using the script i posted earlier, it's better to make a cronjob of this:

$ certbot --text --agree-tos --keep --rsa-key-size 4096 certonly --renew-by-default --webroot -w /var/lib/nginx/html/ -m emailaddress@domain.tld -d site.domain.tld -d domain.tld

Notice the 4096bit RSA keysize. I've written how to generate a bigger Diffie-Hellman group key for increased security here. Along with a small portion of an increased security nginx config. More will follow.

Obsolete

Tweaked an added some bits from the initial script found here

You can schedule it via a daily cron job.

What this basically does is download the latest letsencrypt release from github, building an environment in which it'll create the certificates if needed.
When the script is started on the day the certificate expires, it'll renew it.
It will place the necessary files in your webroot, so it won't need to start it's own webserver (and fail, because you're already running one) to validate your domain.

# !/bin/bash
#
#  Let's Encrypt automatic certificate request/renewal
#

LE_DIR="/opt/letsencrypt"
LE_MAIL="youremail@domain.tld"
LE_DOM1="short website name eg. google.com"
LE_DOM2="fully qualified name eg. www.google.com"
LE_WEBROOT="/path/to/your/webroot/"
LE_CMD="$LE_DIR/letsencrypt-auto --text --agree-tos --keep --rsa-key-size 2048 certonly --webroot -w $LE_WEBROOT -m $LE_MAIL -d $LE_DOM1 -d $LE_DOM2"
GIT_CMD="git clone https://github.com/letsencrypt/letsencrypt.git $LE_DIR"

SRV_CMD="systemctl"
DEB_WEB_SRV="nginx"
RH_WEB_SRV="httpd.service"

if [ -d "$LE_DIR" ]; then
        if [ -d "$LE_DIR/.git" ]; then
                cd $LE_DIR
                git pull
        else
                rm -rf $LE_DIR
                $GIT_CMD
        fi
else
        $GIT_CMD
fi


# Determine Linux flavor
if [ -e "/usr/bin/lsb_release" ]; then
        RELEASE="$(/usr/bin/lsb_release -i | awk '{print $3}')"
        if [ "$RELEASE" == "Debian" ]; then
                #$DEB_CMD $DEB_WEB_SRV stop
                $LE_CMD
                #$DEB_CMD $DEB_WEB_SRV start
                $SRV_CMD reload $DEB_WEB_SRV
        else
                #$RH_CMD stop $RH_WEB_SRV
                $LE_CMD
                #$RH_CMD start $RH_WEB_SRV
                $SRV_CMD reload $RH_WEB_SRV
        fi
else
        #$RH_CMD stop $RH_WEB_SRV
        $LE_CMD
        #$RH_CMD start $RH_WEB_SRV
        #$RH_CMD reload $RH_WEB_SRV
fi