Acme.sh: modifying installcert function for own use
@Neilpang with my own lemp stack installer script at centminmod.com, the auto generated nginx vhosts have a specific domain directory setup structure, so was thinking modifying it to support centminmod lemp stacks natively so the installcert command can be simplified to the following
acme.sh --installcert -d $vhostname --certpath "cmm"
the actual modifications at https://gist.github.com/centminmod/5f0c4e12ed2fefe07be3f61009f12ab8 which is basically adding these lines to redefine the paths when certpath=cmm
if [ "$Le_RealCertPath" = "cmm" ] ; then
Le_RealCertPath="/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.cer"
Le_RealKeyPath="/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.key"
Le_RealCACertPath="/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.cer"
Le_ReloadCmd="/usr/bin/ngxreload"
Le_RealFullChainPath="/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-fullchain-acme.cer"
fi
It seems to work for me but am I missing other functions I'd need to take into account ? cheers :)
centminmod
All 8 comments
Your could write a script reload.sh
cat ${Le_Domain}.cer > "/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.cer"
cat ${Le_Domain}.key > "/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.key"
cat ${Le_Domain}.ca >> "/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-acme.cer"
cat fullchain.cer > "/usr/local/nginx/conf/ssl/${Le_Domain}/${Le_Domain}-fullchain-acme.cer"
service nginx reload
Save it to any path, for example: /root/.acme.sh/reload.sh
chmod +x reload.sh
Then just run :
acme.sh --installcert -d domain.com --reloadcmd '/root/.acme.sh/reload.sh'
Neilpang
on 27 May 2016
👍2
wow this opens up alot of possibilities for my integration of acme.sh into centmin mod lemp stack ^_^ :+1:
cheers @Neilpang
centminmod
on 27 May 2016
Yes, that's the way it was designed.
The echo command in my last post should be cat.
Neilpang
on 27 May 2016
👍1
One more thing.
When the reload.sh is run, the working dir is in the domain dir.
Neilpang
on 27 May 2016
👍1
thanks for the clarification :)
centminmod
on 27 May 2016
had to switch back to full path definitions for installcert as i made a wrapper for my centminmod.com integration acmetool.sh which uses acme.sh and it complained the .ca, .cer etc paths no such file if i use above reload.sh file
however works as intended for now - example reissuing the domain.com
./acmetool.sh reissue domain.com
reissue & install letsencrypt ssl certificate for domain.com
/root/.acme.sh/acme.sh --force --createDomainKey -d domain.com -k 2048
[Fri May 27 15:02:09 UTC 2016] Creating domain key
[Fri May 27 15:02:09 UTC 2016] Use length 2048
/root/.acme.sh/acme.sh --force --staging --issue -d domain.com -w /home/nginx/domains/domain.com/public -k 2048
[Fri May 27 15:02:09 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Fri May 27 15:02:10 UTC 2016] Skip register account key
[Fri May 27 15:02:10 UTC 2016] Creating csr
[Fri May 27 15:02:10 UTC 2016] Single domain='domain.com'
[Fri May 27 15:02:10 UTC 2016] Verify each domain
[Fri May 27 15:02:10 UTC 2016] Getting webroot for domain='domain.com'
[Fri May 27 15:02:10 UTC 2016] Getting token for domain='domain.com'
[Fri May 27 15:02:11 UTC 2016] Verifying:domain.com
[Fri May 27 15:02:17 UTC 2016] Success
[Fri May 27 15:02:17 UTC 2016] Verify finished, start to sign.
[Fri May 27 15:02:18 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIE8TCCA9mgAwIBAgITAPpAqYRuh/rjiLTATsBG16nrzjANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA1Mjcx
NDAyMDBaFw0xNjA4MjUxNDAyMDBaMCExHzAdBgNVBAMTFmR1YWxzc2wuY2VudG1p
bm1vZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpTki3IKsR
xEO46Z4q/uk/IZ2GnNuvuWkXdXOrQKv/xa6eSm38Poc2xdLVJ/be6pg50kRAYxIu
0LY+og0gaVkGj1/5mx5LjoAo51Qv/IgP3qAc7a9CzexO5xbgjpjfptOZPejlu6mc
wVR/nSJ7B00lDCBDIhYmSttBziWaiYqzOU5rwfKjQpOYEqNFw1oFUx8CV9yc4SM+
DHcByFJe3p1Ksdni+54i4pWj88i61kZtZG5PfIMhLuqKQjOW9mM4E4p+0E864EFC
TWbmdwU0SWSRjfkKaQ1P8IlL1HMGF6TdkiVzYC3ots6xZGs8rbA6HSLIQF9cL8Ga
q/uoVx4SaxSnAgMBAAGjggIfMIICGzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLnG
lX6e8HfRoBc1IadjEAUp8E8mMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm
9Wg6MHgGCCsGAQUFBwEBBGwwajAzBggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3Rn
LWludC14MS5sZXRzZW5jcnlwdC5vcmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2Vy
dC5zdGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wIQYDVR0RBBowGIIWZHVhbHNz
bC5jZW50bWlubW9kLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYB
BAGC3xMBAQEwgdYwJgYIKwsa21UHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQu
b3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkg
YmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFj
Y29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0
dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUA
A4IBAQCcHaWFXqfpk6TiSQMyc5FrAyp5Y52PrwYpGy9vGiSbERlNOi/XqyI4i4fB
h8SKj3BbyQmeR5X0cpggAPtflD0dUDaHZuUPi5Mzr/TUQFMqU1yEArMtNGXzm6L2
KKdFiJhs5saY/eMDA2KzoI8hvogzIPFOwx+hhc8Dx7QbG4HJqNxKW9Gu5ir9a0aF
thuQG9btXuehrUxJb5b/TAUFlFX0+sARoXI8sD2SeVkG8C64gG/meFvI2mcATFUv
r5TF1IOmY9Bf3FsOe/HsSBIrN2ErIZH5VGgcNmF7A1ou5niS3Yq8uDOxvRz8ZDd3
YOIe/CVJIjWvlaMit5+ipAmuM3QD
-----END CERTIFICATE-----
[Fri May 27 15:02:18 UTC 2016] Your cert is in /root/.acme.sh/domain.com/domain.com.cer
[Fri May 27 15:02:19 UTC 2016] The intermediate CA cert is in /root/.acme.sh/domain.com/ca.cer
[Fri May 27 15:02:19 UTC 2016] And the full chain certs is there: /root/.acme.sh/domain.com/fullchain.cer
install cert
/root/.acme.sh/acme.sh --installcert -d domain.com --certpath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key --capath /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
[Fri May 27 15:02:19 UTC 2016] Installing cert to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
[Fri May 27 15:02:19 UTC 2016] Installing CA to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
[Fri May 27 15:02:19 UTC 2016] Installing key to:/usr/local/nginx/conf/ssl/domain.com/domain.com-acme.key
[Fri May 27 15:02:19 UTC 2016] Installing full chain to:/usr/local/nginx/conf/ssl/domain.com/domain.com-fullchain-acme.key
[Fri May 27 15:02:19 UTC 2016] Run Le_ReloadCmd: /usr/bin/ngxreload
Reloading nginx configuration (via systemctl): [ OK ]
[Fri May 27 15:02:19 UTC 2016] Reload success.
letsencrypt ssl certificate setup completed
ssl certs located at: /usr/local/nginx/conf/ssl/domain.com
openssl x509 -noout -text < /usr/local/nginx/conf/ssl/domain.com/domain.com-acme.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:40:a9:84:6e:87:fa:e3:88:b4:c0:4e:c0:46:d7:a9:eb:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Fake LE Intermediate X1
Validity
Not Before: May 27 14:02:00 2016 GMT
Not After : Aug 25 14:02:00 2016 GMT
Subject: CN=domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:4e:48:b7:20:ab:11:c4:43:b8:e9:9e:2a:fe:
e9:3f:21:9d:86:9c:db:af:b9:69:17:75:73:ab:40:
ab:ff:c5:ae:9e:4a:6d:fc:3e:87:36:c5:d2:d5:27:
f6:de:ea:98:39:d2:44:40:63:12:2e:d0:b6:3e:a2:
0d:20:69:59:06:8f:5f:f9:9b:1e:4b:8e:80:28:e7:
54:2f:fc:88:0f:de:a0:1c:ed:af:42:cd:ec:4e:e7:
16:e0:8e:98:df:a6:d3:99:3d:e8:e5:bb:a9:9c:c1:
54:7f:9d:22:7b:07:4d:25:0c:20:43:22:16:26:4a:
db:41:ce:25:9a:89:8a:b3:39:4e:6b:c1:f2:a3:42:
93:98:12:a3:45:c3:5a:05:53:1f:02:57:dc:9c:e1:
23:3e:0c:77:01:c8:52:5e:de:9d:4a:b1:d9:e2:fb:
9e:22:e2:95:a3:f3:c8:ba:d6:46:6d:64:6e:4f:7c:
83:21:2e:ea:8a:42:33:96:f6:63:38:13:8a:7e:d0:
4f:3a:e0:41:42:4d:66:e6:77:05:34:49:64:91:8d:
f9:0a:69:0d:4f:f0:89:4b:d4:73:06:17:a4:dd:92:
25:73:60:2d:e8:b6:ce:b1:64:6b:3c:ad:b0:3a:1d:
22:c8:40:5f:5c:2f:c1:9a:ab:fb:a8:57:1e:12:6b:
14:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B9:C6:95:7E:9E:F0:77:D1:A0:17:35:21:A7:63:10:05:29:F0:4F:26
X509v3 Authority Key Identifier:
keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A
Authority Information Access:
OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/
CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:domain.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
9c:1d:a5:85:5e:a7:e9:93:a4:e2:49:03:32:73:91:6b:03:2a:
79:63:9d:8f:af:06:29:1b:2f:6f:1a:24:9b:11:19:4d:3a:2f:
d7:ab:22:38:8b:87:c1:87:c4:8a:8f:70:5b:c9:09:9e:47:95:
f4:72:98:20:00:fb:5f:94:3d:1d:50:36:87:66:e5:0f:8b:93:
33:af:f4:d4:40:53:2a:53:5c:84:02:b3:2d:34:65:f3:9b:a2:
f6:28:a7:45:88:98:6c:e6:c6:98:fd:e3:03:03:62:b3:a0:8f:
21:be:88:33:20:f1:4e:c3:1f:a1:85:cf:03:c7:b4:1b:1b:81:
c9:a8:dc:4a:5b:d1:ae:e6:2a:fd:6b:46:85:b6:1b:90:1b:d6:
ed:5e:e7:a1:ad:4c:49:6f:96:ff:4c:05:05:94:55:f4:fa:c0:
11:a1:72:3c:b0:3d:92:79:59:06:f0:2e:b8:80:6f:e6:78:5b:
c8:da:67:00:4c:55:2f:af:94:c5:d4:83:a6:63:d0:5f:dc:5b:
0e:7b:f1:ec:48:12:2b:37:61:2b:21:91:f9:54:68:1c:36:61:
7b:03:5a:2e:e6:78:92:dd:8a:bc:b8:33:b1:bd:1c:fc:64:37:
77:60:e2:1e:fc:25:49:22:35:af:95:a3:22:b7:9f:a2:a4:09:
ae:33:74:03
Glad to know it works for you.
If you have any error with the reload.sh, I'd be happy to see what it is.
Thanks.
Neilpang
on 27 May 2016
thanks @Neilpang for the offer, decided best to just use the regular method for now and maybe revisit it later :)
centminmod
on 27 May 2016
Was this page helpful?
0 / 5 - 0 ratings
Related issues
MarcusWolschon
路
3Comments
FernandoMiguel
路
5Comments
xiagw
路
3Comments
centminmod
路
4Comments
stephankn
路
5Comments
Most helpful comment
Your could write a script
reload.shSave it to any path, for example:
/root/.acme.sh/reload.shThen just run :