borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f78ce67e1085110eaaa8bdf716590eaff97f2c36
drone-detector/ssl/README.md
Alexander Borg 729ec717c0 Fix jwt-token
2025-09-12 21:01:30 +02:00

140 lines
3.2 KiB
Markdown
Raw Blame History

# SSL Certificate Auto-Renewal with Cron
This directory contains scripts for managing SSL certificates with Let's Encrypt outside of Docker containers.
## Setup
1. **Install dependencies:**
```bash
sudo apt update
sudo apt install certbot nginx openssl
# Optional: For DNS challenges with Loopia
sudo pip install dns-lexicon[full]
```
2. **Configure environment:**
```bash
cp .env.example .env
nano .env # Edit with your domain and credentials
```
3. **Make scripts executable:**
```bash
chmod +x certbot-manager.sh loopia-hook.sh
```
## Usage
### Manual Certificate Management
```bash
# Check certificate status
./certbot-manager.sh status
# Check if renewal is needed
./certbot-manager.sh check
# Force certificate renewal
./certbot-manager.sh renew
# Auto-renew only if needed (for cron)
./certbot-manager.sh auto
```
### Automatic Renewal with Cron
1. **Setup cron job** (recommended - runs daily at 2 AM):
```bash
sudo crontab -e
```
Add this line:
```
0 2 * * * cd /path/to/your/project/ssl && source .env && ./certbot-manager.sh auto >> /var/log/letsencrypt/cron.log 2>&1
```
2. **Alternative: Setup systemd timer** (more modern approach):
```bash
sudo cp ssl-renewal.service /etc/systemd/system/
sudo cp ssl-renewal.timer /etc/systemd/system/
sudo systemctl enable ssl-renewal.timer
sudo systemctl start ssl-renewal.timer
```
## Certificate Types
### HTTP Challenge (Single Domain)
- Works for: `dev.uggla.uamils.com`
- Requirements: Port 80 accessible, nginx configured for ACME challenges
- No additional credentials needed
### DNS Challenge (Wildcard Support)
- Works for: `dev.uggla.uamils.com` and `*.dev.uggla.uamils.com`
- Requirements: Loopia DNS API credentials
- Set `LOOPIA_USER` and `LOOPIA_PASSWORD` in `.env`
## Nginx Configuration
Ensure your nginx configuration includes ACME challenge support:
```nginx
server {
listen 80;
server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
# ACME challenge location
location /.well-known/acme-challenge/ {
root /var/www/html;
try_files $uri =404;
}
# Redirect other traffic to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
```
## Monitoring
### Check Certificate Status
```bash
./certbot-manager.sh status
```
### View Renewal Logs
```bash
tail -f /var/log/letsencrypt/renewal.log
```
### Check Cron Logs
```bash
tail -f /var/log/letsencrypt/cron.log
```
## Troubleshooting
### DNS Challenge Issues
- Verify Loopia credentials are correct
- Check DNS propagation: `dig _acme-challenge.dev.uamils.com TXT`
- Ensure API access is enabled in Loopia control panel
### HTTP Challenge Issues
- Verify port 80 is accessible from internet
- Check nginx configuration: `nginx -t`
- Ensure webroot path exists and is writable
### Permission Issues
- Ensure scripts are executable: `chmod +x *.sh`
- Run with sudo if accessing system directories
- Check log file permissions
## Files
- `certbot-manager.sh` - Main certificate management script
- `loopia-hook.sh` - DNS challenge hook for Loopia
- `.env.example` - Configuration template
- `ssl-renewal.service` - Systemd service file
- `ssl-renewal.timer` - Systemd timer file
Reference in New Issue View Git Blame Copy Permalink