# SSL Certificate Auto-Renewal with Cron

This directory contains scripts for managing SSL certificates with Let's Encrypt outside of Docker containers.

## Setup

1. **Install dependencies:**
   ```bash
   sudo apt update
   sudo apt install certbot nginx openssl
   
   # Optional: For DNS challenges with Loopia
   sudo pip install dns-lexicon[full]
   ```

2. **Configure environment:**
   ```bash
   cp .env.example .env
   nano .env  # Edit with your domain and credentials
   ```

3. **Make scripts executable:**
   ```bash
   chmod +x certbot-manager.sh loopia-hook.sh
   ```

## Usage

### Manual Certificate Management

```bash
# Check certificate status
./certbot-manager.sh status

# Check if renewal is needed
./certbot-manager.sh check

# Force certificate renewal
./certbot-manager.sh renew

# Auto-renew only if needed (for cron)
./certbot-manager.sh auto
```

### Automatic Renewal with Cron

1. **Setup cron job** (recommended - runs daily at 2 AM):
   ```bash
   sudo crontab -e
   ```
   
   Add this line:
   ```
   0 2 * * * cd /path/to/your/project/ssl && source .env && ./certbot-manager.sh auto >> /var/log/letsencrypt/cron.log 2>&1
   ```

2. **Alternative: Setup systemd timer** (more modern approach):
   ```bash
   sudo cp ssl-renewal.service /etc/systemd/system/
   sudo cp ssl-renewal.timer /etc/systemd/system/
   sudo systemctl enable ssl-renewal.timer
   sudo systemctl start ssl-renewal.timer
   ```

## Certificate Types

### HTTP Challenge (Single Domain)
- Works for: `dev.uggla.uamils.com`
- Requirements: Port 80 accessible, nginx configured for ACME challenges
- No additional credentials needed

### DNS Challenge (Wildcard Support)
- Works for: `dev.uggla.uamils.com` and `*.dev.uggla.uamils.com`
- Requirements: Loopia DNS API credentials
- Set `LOOPIA_USER` and `LOOPIA_PASSWORD` in `.env`

## Nginx Configuration

Ensure your nginx configuration includes ACME challenge support:

```nginx
server {
    listen 80;
    server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
    
    # ACME challenge location
    location /.well-known/acme-challenge/ {
        root /var/www/html;
        try_files $uri =404;
    }
    
    # Redirect other traffic to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}
```

## Monitoring

### Check Certificate Status
```bash
./certbot-manager.sh status
```

### View Renewal Logs
```bash
tail -f /var/log/letsencrypt/renewal.log
```

### Check Cron Logs
```bash
tail -f /var/log/letsencrypt/cron.log
```

## Troubleshooting

### DNS Challenge Issues
- Verify Loopia credentials are correct
- Check DNS propagation: `dig _acme-challenge.dev.uamils.com TXT`
- Ensure API access is enabled in Loopia control panel

### HTTP Challenge Issues
- Verify port 80 is accessible from internet
- Check nginx configuration: `nginx -t`
- Ensure webroot path exists and is writable

### Permission Issues
- Ensure scripts are executable: `chmod +x *.sh`
- Run with sudo if accessing system directories
- Check log file permissions

## Files

- `certbot-manager.sh` - Main certificate management script
- `loopia-hook.sh` - DNS challenge hook for Loopia
- `.env.example` - Configuration template
- `ssl-renewal.service` - Systemd service file
- `ssl-renewal.timer` - Systemd timer file