## Usage: 1. Create ssl folder to store certificates and this repository. 2. Clone this repository or use as submodule: - `git submodule add ssh://git@git.w3goodies.com:17001/mehdi-mac/certbot-docker-script.git` 3. Creat certs folder inside ssl folder. 4. Put config.sh inside ssl folder. Copy contents from certbot-docker-script/config.sh.dummy 5. The folder structure would be: ``` /your-project/ssl/ ├── certs (Your certificates will be stored here) ├── config.sh (Your config file) ├── certbot-docker-script (this repository) ``` 6. Run: ```shell your-project/ssl/certbot-docker-script/generate-certs.sh ../config.sh ``` ## Info: - It uses certbot's docker to generate LetsEncrypt SSL certificates, and it comes with simple script to generate and renew certificate for **single domain.** - It **does not support multiple domains**. But it will automatically generate a single certificate for test.com and *.test.com (wildcard). 1. This script will **create** SSL certificates based on `${new_ssl_command}`. 2. If the `${live_certs_dir}` and `${live_certs_dir}/cert.pem` exist then certificate is **renewed** based on `${renew_command}` 3. Post hook is only executed: 1. If a new ssl certificate is created. 2. If certificate is renewed (test is done by comparing ${live_certs_dir}/cert.pem modified time to last one). --- ## Notes: - After the certificates are created: - Make sure to mount both `certs/live/test.com` and `certs/archive/test.com` directory, and use `live/test.com/*.pem` certificates in your nginx config. - Because archive directory has actual files, but live directory has symlink to archive. In archive, certs are stored like this fullchain1.pem, cert1.pem and number is increased based on renewals. But live folder has direct certificates without number like cert.pem, fullchain.pem - Also use certbot nginx options file in your nginx config: https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf --- ## Example nginx config: ``` server { listen 443; server_name test.com; #SSL - Set in production. ssl_certificate /etc/letsencrypt/live/test.com/fullchain.pem; #managed by Certbot ssl_certificate_key /etc/letsencrypt/live/test.com/privkey.pem; #managed by Certbot include /etc/nginx/commons/letsencrypt-options-ssl-nginx.conf; } ``` ## Important: - **In case of errors, try clearing certs/\* folder and retry.** _(Although keep .gitkeep file inside.)_ - Use `dry_run=true` to test certbot instead of actually creating/renewing certificates. --- ## Cron: - Run this file under cron to keep the certificates updated. - Certbot generate certificates with expiry of 90days, so run this script every day once. - If a certificate is renewed (based on change of last-modified time, to existing certificate) then `posthook` is executed. - You can restart nginx in `posthook`, to reload used certificates. - Example: - `nano /etc/cron.d/generate-certs-for-test.com` - `0 1 * * * root /your-project/ssl/certbot-docker-script/generate-certs.sh ../config.sh > /your-project/ssl/generate-certs.log`