140 lines
3.2 KiB
Markdown
140 lines
3.2 KiB
Markdown
# SSL Certificate Auto-Renewal with Cron
|
|
|
|
This directory contains scripts for managing SSL certificates with Let's Encrypt outside of Docker containers.
|
|
|
|
## Setup
|
|
|
|
1. **Install dependencies:**
|
|
```bash
|
|
sudo apt update
|
|
sudo apt install certbot nginx openssl
|
|
|
|
# Optional: For DNS challenges with Loopia
|
|
sudo pip install dns-lexicon[full]
|
|
```
|
|
|
|
2. **Configure environment:**
|
|
```bash
|
|
cp .env.example .env
|
|
nano .env # Edit with your domain and credentials
|
|
```
|
|
|
|
3. **Make scripts executable:**
|
|
```bash
|
|
chmod +x certbot-manager.sh loopia-hook.sh
|
|
```
|
|
|
|
## Usage
|
|
|
|
### Manual Certificate Management
|
|
|
|
```bash
|
|
# Check certificate status
|
|
./certbot-manager.sh status
|
|
|
|
# Check if renewal is needed
|
|
./certbot-manager.sh check
|
|
|
|
# Force certificate renewal
|
|
./certbot-manager.sh renew
|
|
|
|
# Auto-renew only if needed (for cron)
|
|
./certbot-manager.sh auto
|
|
```
|
|
|
|
### Automatic Renewal with Cron
|
|
|
|
1. **Setup cron job** (recommended - runs daily at 2 AM):
|
|
```bash
|
|
sudo crontab -e
|
|
```
|
|
|
|
Add this line:
|
|
```
|
|
0 2 * * * cd /path/to/your/project/ssl && source .env && ./certbot-manager.sh auto >> /var/log/letsencrypt/cron.log 2>&1
|
|
```
|
|
|
|
2. **Alternative: Setup systemd timer** (more modern approach):
|
|
```bash
|
|
sudo cp ssl-renewal.service /etc/systemd/system/
|
|
sudo cp ssl-renewal.timer /etc/systemd/system/
|
|
sudo systemctl enable ssl-renewal.timer
|
|
sudo systemctl start ssl-renewal.timer
|
|
```
|
|
|
|
## Certificate Types
|
|
|
|
### HTTP Challenge (Single Domain)
|
|
- Works for: `dev.uggla.uamils.com`
|
|
- Requirements: Port 80 accessible, nginx configured for ACME challenges
|
|
- No additional credentials needed
|
|
|
|
### DNS Challenge (Wildcard Support)
|
|
- Works for: `dev.uggla.uamils.com` and `*.dev.uggla.uamils.com`
|
|
- Requirements: Loopia DNS API credentials
|
|
- Set `LOOPIA_USER` and `LOOPIA_PASSWORD` in `.env`
|
|
|
|
## Nginx Configuration
|
|
|
|
Ensure your nginx configuration includes ACME challenge support:
|
|
|
|
```nginx
|
|
server {
|
|
listen 80;
|
|
server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
|
|
|
|
# ACME challenge location
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# Redirect other traffic to HTTPS
|
|
location / {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
```
|
|
|
|
## Monitoring
|
|
|
|
### Check Certificate Status
|
|
```bash
|
|
./certbot-manager.sh status
|
|
```
|
|
|
|
### View Renewal Logs
|
|
```bash
|
|
tail -f /var/log/letsencrypt/renewal.log
|
|
```
|
|
|
|
### Check Cron Logs
|
|
```bash
|
|
tail -f /var/log/letsencrypt/cron.log
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### DNS Challenge Issues
|
|
- Verify Loopia credentials are correct
|
|
- Check DNS propagation: `dig _acme-challenge.dev.uamils.com TXT`
|
|
- Ensure API access is enabled in Loopia control panel
|
|
|
|
### HTTP Challenge Issues
|
|
- Verify port 80 is accessible from internet
|
|
- Check nginx configuration: `nginx -t`
|
|
- Ensure webroot path exists and is writable
|
|
|
|
### Permission Issues
|
|
- Ensure scripts are executable: `chmod +x *.sh`
|
|
- Run with sudo if accessing system directories
|
|
- Check log file permissions
|
|
|
|
## Files
|
|
|
|
- `certbot-manager.sh` - Main certificate management script
|
|
- `loopia-hook.sh` - DNS challenge hook for Loopia
|
|
- `.env.example` - Configuration template
|
|
- `ssl-renewal.service` - Systemd service file
|
|
- `ssl-renewal.timer` - Systemd timer file
|