I’ve been hacking away at getting DTC set up to use Googles’ Let’s Encrypt.
Here’s my work so far…
https://www.yournet.co.nz/getssl/
There are two files:
- getssl – the getssl script that you get from the getssl site.
- dtc-getssl
About dtc-getssl
This is a wrapper around getssl to do the stuff that DTC needs done to make it work.
To execute you:
- Need to have the files in /home/dtc
- Run ./dtc-getssl -a <ADMIN NAME> -d <DOMAIN NAME> -s <SUB DOMAIN> -cWhere
* ADMIN NAME is the DTC Admin name of the account that the domain is located in.
* DOMAIN NAME is the domain name you want the cert for.
* SUB DOMAIN is the subdomain of the domain you want the cert for.What we’re doing is just creating the right stuff with the right permissions so it will all work in DTC.
eg: ./dtc-getssl -a deafblindassociation -d deafblindassociation.nz -s www -c
getssl will create you a folder for the sub/domain combination in the .getssl folder.
dtc-getssl wil then display a bunch of information that you need to copy into the getssl.cfg file.
- Then edit the getssl.cfg file for the domaineg: /home/dtc/.getssl/www.deafblindassociation.nz/getssl.cfg
In the case of our example:
#This tells getssl where to find the file it makes so that it can verify we actually own the domain.
ACL=(‘/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/html/.well-known/acme-challenge’)#This tells getsll to use the ACL above for all and any verification’s even if we’re getting a cert for more than one subdomain (which I don’t think we should be).
USE_SINGLE_ACL=”true”#These lines just tell getssl where to put the files once it’s made them.
DOMAIN_CERT_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.cert”
DOMAIN_KEY_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.key”
CA_CERT_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.ca”You also need to make sure the production ssl server isn’t commented out and that the test one is.
# The staging server is best for testing
#CA=”https://acme-staging.api.letsencrypt.org”
# This server issues full certificates, however has rate limits
CA=”https://acme-v01.api.letsencrypt.org”Finally, comment out the SANS option unless you have reason for it. You’ll see in our example the getssl script seemed to think we want a subdomain included that we don’t.
#SANS=”dtc.yournet.co.nz” - Now Run ./dtc-getssl -a <ADMIN NAME> -d <DOMAIN NAME> -s <SUB DOMAIN> without the -c option
You should see getssl generate the keys for you.
We need this wrapper because we’re running the script with the correct user (dtc) so that we get the correct permissions on the file.
- Restart apache2
getssl does have the ability to restart the web server and we will need to do this in future, but this script is way to green to be letting it restart your production system without doing a bit of checking first!