I opted not to install the certbot, but downloaded the shell script getssl from Github instead. This script lets you create and update your certificates manually and it can even upload it to the server for you. One can also put this script on the server and set up a cron job to keep their certificates up-to-date.
Following the somewhat sparse instructions on getssl's wiki page, I managed to get the script set up and created a brand new certificate within two hours, including a fight against a silly server management system (which is not scope of this tutorial).
In order for getssl to access your server, you need to have gerated an ssh-key and uploaded it to your server with ssh-copy-id:
$ ssh-keygen $ ssh-copy-id user@domain.com
I have not yet tried it with a key for the root user, but it would be pretty much the same. Root access is probably needed for automatically restarting the http-daemon.
The next step is to download and run getssl a first time. This will generate some files in ~/.getssl. Then you need to adjust two configuration files. I set the following:
# Staging server for testing: CA="https://acme-staging.api.letsencrypt.org" # Once you have set up everything, create the real certificate with this URI: #CA="https://acme-v01.api.letsencrypt.org" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/home/user/.getssl/account.key" PRIVATE_KEY_ALG="rsa" REUSE_PRIVATE_KEY="true" RENEW_ALLOW="30" SERVER_TYPE="https" CHECK_REMOTE="true" PUBLIC_DNS_SERVER="8.8.8.8"
# The staging server is best for testing
CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
# CA="https://acme-v01.api.letsencrypt.org"
PRIVATE_KEY_ALG="rsa"
#SANS="static.domain.com"
ACL=('ssh:user@domain.com:/var/www/domain.com/ssl')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.crt"
DOMAIN_KEY_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.key"
CA_CERT_LOCATION="user@domain.com:/var/www/domain.com/ssl/chain.crt"
DOMAIN_CHAIN_LOCATION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.chain.crt"
DOMAIN_PEM_LOCAION="user@domain.com:/var/www/domain.com/ssl/www.domain.com.pem.key"
RELOAD_CMD="ssh:root@domain.com:systemctl reload apache2"
SERVER_TYPE="https"
CHECK_REMOTE="true"
As a last step, you call getssl a second time. As long as you have selected the staging server, you can try as often as you like. When you're satisfied with your set-up, change the enrtry in getssl.conf to the real server and issue:
user@home:~/.getssl/ $ ./getssl www.domain.com www.domain.com: no certificate obtained from host Registering account Registered Verify each domain Verifying www.domain.com copying challenge token to ssh:user@www.domain.com:/srv/www/domain.com/ssl/UHiO79uDAsN-fJjsndOVEXjmMQ1mAqLJOsasOqwpSIY Pending Verified www.domain.com Verification completed, obtaining certificate. Certificate saved in /home/user/.getssl/www.domain.com/www.domain.com.crt The intermediate CA cert is in /home/user/.getssl/www.domain.com/chain.crt copying domain certificate to ssh:user@www.domain.com:/srv/www/domain.com/ssl/harald.ist.org.crt copying private key to ssh:hmw@central-dogma.at:/srv/www/domain.com/ssl/harald.ist.org.key copying CA certificate to ssh:hmw@central-dogma.at:/srv/www/domain.com/ssl/chain.crt copying full chain to hmw@central-dogma.at:/srv/www/domain.com/ssl/www.domain.com.chain.crt reloading SSL services getssl.sh: www.domain.com - certificate obtained user@home:~/.getssl/ $
getssl did not provide an option to set a custom port for ssh, so I had to patch the script.
I searched it for calls to scp
and ssh
and added the according command line switches:
ssh_port=12345 # Hard coded port number at the top of the script
if ! scp -P $ssh_port -q "$from" "${to:4}" >/dev/null 2>&1 ; then
error_exit "problem copying file to the server using scp.
scp -P $ssh_port $from ${to:4}"
ssh -p $ssh_port "$sshhost" "${command}" 1>/dev/null 2>&1
On a server, that has ISPConfig installed, I had to comment out "Alias /.well-known/acme-challenge/ /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/" in /etc/apache2/sites-enabled/000-ispconfig.conf in order to get past ISPConfig's stubborness and let everyone access this folder in MY document_root. Users have no access to ISPConfigs' folder!?