Let's Encrypt Setup

Describes the setup and usage of acme.sh to issue and renew Let’s Encrypt SSL certificates.

User Account Setup

Creates user account acme with home directory but without login shell. Also allows it to run two scripts using sudo - one to update and renew the installed certificates, the other to issue and install new certificates.

# useradd -m -s /usr/sbin/nologin acme
# echo "acme ALL = NOPASSWD: /home/acme/.acme.sh/acme.sh" >> /etc/sudoers
# echo "acme ALL = NOPASSWD: /home/acme/.acme.sh/acme_issue.sh" >> /etc/sudoers

acme.sh Install and Setup

# su acme
$ curl https://get.acme.sh | sh

Issue new certificates

Done by running a verification test to ensure domain ownership, either webserver or DNS. If doing webserver method need to disable running server to prevent routing to running applications. If doing DNS need to have the correct route for the subdomains called out out explicitly in DNS manager.

service apache2 stop
/home/acme/.acme.sh/acme.sh --issue --standalone \
    --home /home/acme/.acme.sh/
    -d server.josephvoss.com \
    -d latex.josephvoss.com \
    -d view.josephvoss.com \
    -d matrix.josephvoss.com \
    -d git.josephvoss.com \
    -d wiki.josephvoss.com \
    -d josephvoss.com

With wildcard support can do DNS automatically without overwriting implicit routing. Adds and removes TXT record for *.domain.name, no site downtime.

/home/acme/.acme.sh/acme.sh --issue --dns dns_gd --force \
    -d '*.josephvoss.com' \
    -d 'josephvoss.com' \
    --home /home/acme/.acme.sh/

Renew Certificates

Setup the following line to run about once or twice a month in user acme’s crontab.

/home/acme/.acme.sh/acme.sh --cron --home /home/acme/.acme.sh/

Install certificates

Run after every issue and renew. Change names to point to first-issued domain.

/home/acme/.acme.sh/acme.sh --install-cert -d *.josephvoss.com \
    --cert-file /etc/apache2/ssl/\*.josephvoss.com.cer \
    --key-file /etc/apache2/ssl/\*.josephvoss.com.key \
    --fullchain-file /etc/apache2/ssl/fullchain.cer \
    --reloadcmd "service apache2 force-reload" \
    --home /home/acme/.acme.sh/