borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a94121d1468ae1b634db94e0e49a55a6c137698
drone-detector/ssl
History
Alexander Borg 1a94121d14 Fix jwt-token
2025-09-12 21:39:21 +02:00
..
.env.example
Fix jwt-token
2025-09-12 21:04:32 +02:00
certbot-manager.sh
Fix jwt-token
2025-09-12 21:39:21 +02:00
complete-setup.sh
Fix jwt-token
2025-09-12 21:39:21 +02:00
loopia-hook.sh
Fix jwt-token
2025-09-12 21:01:30 +02:00
nginx-ssl-setup.sh
Fix jwt-token
2025-09-12 21:39:21 +02:00
README.md
Fix jwt-token
2025-09-12 21:01:30 +02:00
setup.sh
Fix jwt-token
2025-09-12 21:01:30 +02:00
ssl-renewal.service
Fix jwt-token
2025-09-12 21:01:30 +02:00
ssl-renewal.timer
Fix jwt-token
2025-09-12 21:01:30 +02:00

README.md

SSL Certificate Auto-Renewal with Cron

This directory contains scripts for managing SSL certificates with Let's Encrypt outside of Docker containers.

Setup

  1. Install dependencies:

    sudo apt update
sudo apt install certbot nginx openssl

# Optional: For DNS challenges with Loopia
sudo pip install dns-lexicon[full]

  2. Configure environment:

    cp .env.example .env
nano .env  # Edit with your domain and credentials

  3. Make scripts executable:

    chmod +x certbot-manager.sh loopia-hook.sh

Usage

Manual Certificate Management

# Check certificate status
./certbot-manager.sh status

# Check if renewal is needed
./certbot-manager.sh check

# Force certificate renewal
./certbot-manager.sh renew

# Auto-renew only if needed (for cron)
./certbot-manager.sh auto

Automatic Renewal with Cron

  1. Setup cron job (recommended - runs daily at 2 AM):

    sudo crontab -e

    Add this line:

    0 2 * * * cd /path/to/your/project/ssl && source .env && ./certbot-manager.sh auto >> /var/log/letsencrypt/cron.log 2>&1

  2. Alternative: Setup systemd timer (more modern approach):

    sudo cp ssl-renewal.service /etc/systemd/system/
sudo cp ssl-renewal.timer /etc/systemd/system/
sudo systemctl enable ssl-renewal.timer
sudo systemctl start ssl-renewal.timer

Certificate Types

HTTP Challenge (Single Domain)

  • Works for: dev.uggla.uamils.com
  • Requirements: Port 80 accessible, nginx configured for ACME challenges
  • No additional credentials needed

DNS Challenge (Wildcard Support)

  • Works for: dev.uggla.uamils.com and *.dev.uggla.uamils.com
  • Requirements: Loopia DNS API credentials
  • Set LOOPIA_USER and LOOPIA_PASSWORD in .env

Nginx Configuration

Ensure your nginx configuration includes ACME challenge support:

server {
    listen 80;
    server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
    
    # ACME challenge location
    location /.well-known/acme-challenge/ {
        root /var/www/html;
        try_files $uri =404;
    }
    
    # Redirect other traffic to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

Monitoring

Check Certificate Status

./certbot-manager.sh status

View Renewal Logs

tail -f /var/log/letsencrypt/renewal.log

Check Cron Logs

tail -f /var/log/letsencrypt/cron.log

Troubleshooting

DNS Challenge Issues

  • Verify Loopia credentials are correct
  • Check DNS propagation: dig _acme-challenge.dev.uamils.com TXT
  • Ensure API access is enabled in Loopia control panel

HTTP Challenge Issues

  • Verify port 80 is accessible from internet
  • Check nginx configuration: nginx -t
  • Ensure webroot path exists and is writable

Permission Issues

  • Ensure scripts are executable: chmod +x *.sh
  • Run with sudo if accessing system directories
  • Check log file permissions

Files

  • certbot-manager.sh - Main certificate management script
  • loopia-hook.sh - DNS challenge hook for Loopia
  • .env.example - Configuration template
  • ssl-renewal.service - Systemd service file
  • ssl-renewal.timer - Systemd timer file