vestacp cert letsencrypt

gistfile1.txt

# init & renew
# replace ikw.cz with domain AND admin with vesta user

letsencrypt certonly \
 --authenticator webroot \
 --renew-by-default \
 --agree-tos \
 --webroot-path /home/admin/web/ikw.cz/public_html \
 --domains ikw.cz,www.ikw.cz



# only init
rm -rf /tmp/ssl.ikw.cz
mkdir /tmp/ssl.ikw.cz
cp /etc/letsencrypt/live/ikw.cz/fullchain.pem /tmp/ssl.ikw.cz/ikw.cz.pem
cp /etc/letsencrypt/live/ikw.cz/privkey.pem /tmp/ssl.ikw.cz/ikw.cz.key
cp /etc/letsencrypt/live/ikw.cz/cert.pem /tmp/ssl.ikw.cz/ikw.cz.crt
cp /etc/letsencrypt/live/ikw.cz/chain.pem /tmp/ssl.ikw.cz/ikw.cz.ca
v-add-web-domain-ssl admin ikw.cz /tmp/ssl.ikw.cz same yes
rm -rf /tmp/ssl.ikw.cz


rm /home/admin/conf/web/ssl.ikw.cz.*
ln -s /etc/letsencrypt/live/ikw.cz/fullchain.pem /home/admin/conf/web/ssl.ikw.cz.pem
ln -s /etc/letsencrypt/live/ikw.cz/privkey.pem /home/admin/conf/web/ssl.ikw.cz.key
ln -s /etc/letsencrypt/live/ikw.cz/cert.pem /home/admin/conf/web/ssl.ikw.cz.crt
ln -s /etc/letsencrypt/live/ikw.cz/chain.pem /home/admin/conf/web/ssl.ikw.cz.ca

preparation.md

• install letsencrypt: https://github.com/letsencrypt/letsencrypt#installation
• (optionally) make symlink: ln -s /etc/letsencrypt/letsencrypt-auto /usr/local/bin/letsencrypt

Certs will be generated/renewed to /etc/letsencrypt/live/<domain>/, so configure your webserver to take them from here OR symlink them to any domain directory (like I do)

My init/renew command uses webroot authenticator, so you need to specify webroot path. In that directory letsencrypt will put .something/something/xxx and remote server will try to access that file to verify you have full access to that domain.

If authentication fails, it probably is not accessible from outside. Usually it is caused by rule disallowing hidden files/directories to be show - you will need to modify it to allow that generated directory+file.

renewcerts.sh

#!/usr/bin/env bash
# Renew Let's Encrypt SSL certs
# Replace next line with first command from `gistfile1.txt` and email on line 11 with yours
# Then add this script to your cron to run every two months or so (certs are issued for 3 months)

letsencrypt certonly --authenticator webroot --renew-by-default --agree-tos --webroot-path /home/admin/web/ikw.cz/public_html --domains ikw.cz,www.ikw.cz

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" [email protected]
 else
        service apache2 reload        
	service nginx reload
fi