Letsencrypt certificates renewal

Replacing the buggy official client with a smart and efficient bash script.
By Kostas Koutsogiannopoulos

Using the official client here for certificate renewal every about 3 months was not a pleasant experience.

The client is 11MB, needs huge amount of ram, depends on python environment and has some other problems as "BETA SOFTWARE".

It did the job with nginx web server but we had problem running it on a linux machine in the cloud with limited resources. So we were in search of alternatives.

letsencrypt.sh

The bash script we are promoting here is free, small (890 lines of code), easy to configure, and does the job with multiple domains like a charm.

You can find it here.

How it works (letsencrypt test environment)

Download the script and change to executable.
Create a file domains.txt in the same directory listing all your domains and alternative names for example:
domains.txt
example1.org www.example1.org example2.org www.example2.org
Create a file config.sh with the content:
config.sh
WELLKNOWN="/var/www/letsencrypt" CA="https://acme-staging.api.letsencrypt.org/directory" # This is for testing!
Create the directory /var/www/letsencrypt and give the relevant permissions for your web server to read.
mkdir -p /var/www/letsencrypt
Create the following entry for every virtual host you serve in your web server.
For example:
server { ... server_name .example1.org www.example1.org; ... location /.well-known/acme-challenge { alias /var/www/letsencrypt; } ... }
Reload your web server.

With this configuration your server -during the procedure of renewal- will serve an url like that:

http://example1.org/.well-known/acme-challenge/c3VjaC1jaGFsbGVuZ2UtbXVjaA-aW52YWxpZC13b3c

...in order to verify your domain name.

Now you can run the script:

./letsencrypt.sh -c -f ./config.sh

After a successful run, the script is creating the file "private_key.pem" and a directory named "certs" with subdirectories named by your domain names (for example "example1.org", "example2.org") containing your certificates.

Check that your certificates created successfully but DO NOT USE THEM FOR THE PRODUCTION SERVER.

Production environment

For production run you neet to comment out the CA argument in the config.sh file (the production CA end point is the default):

config.sh

WELLKNOWN="/var/www/letsencrypt" #CA="https://acme-staging.api.letsencrypt.org/directory"

Delete the private_key.pem file that is genarated by the tests.

Now your can re-run to generate production certificates.

The last thing your need to do is to enter the procedure in a cron job followed by a web server reloading and forget everything about certificate validity period for your secure domains.

(Do not forget to thank lukas2511)

Example run

./letsencrypt.sh -c -f config.sh
# INFO: Using main config file config.sh + Generating account key... + Registering account key with letsencrypt... Processing example1.org with alternative names: www.example1.org + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for example1.org... + Requesting challenge for www.example1.org... + Responding to challenge for example1.org... + Challenge is valid! + Responding to challenge for www.example1.org... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! Processing example2.org with alternative names: www.example2.org + Signing domains... + Creating new directory ./certs/example2.org ... + Generating private key... + Generating signing request... + Requesting challenge for example2.org... + Requesting challenge for www.example2.org... + Responding to challenge for example2.org... + Challenge is valid! + Responding to challenge for www.example2.org... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done!