This pack of scripts makes SSL certs updates easy as fuck. Only one machine for updating all of your servers. Script catching and mailing errors for easy diagnostics. You adding domain to it, script by everyday cron will get\renew cert for it, upload it to remote server and restart webserver. As I said, easy as fuck.

Best practice if you create LXC container for it somewhere far inside your network.

Requires

Before use install:

  • php-cli for mailing from cron
  • certbot

Install

Clone git repository

git clone https://bitbucket.org/21h/letsencrypt-ssl-universal-update-robot.git

Generate default keys if you want to generate one key for all servers.

keys_prepare/gen_default_key.sh

Remember! One key for all servers with root access really bad idea but we all know you are lazy jackass :) Yes, keys you generate must be installed to /root/.ssh/authorized_keys for uploading updated certificates and restarting webserver service. Cool? :)

Before you start

Delete 2 demo sites from directories. You must see how it works.

Add your first domain

Just run ./create.sh and answer questions. After update script run all certificates will be uploaded to remote server into /etc/ssl/web/$domain/. After each upload webserver will be restarted. Restart because some servers not supporting SSL certs updates via systemctr reload apache2. If your server support it just reload, not restart. Restart means server down and up. Reload will not shutdown server.

Forward .well-known requests to your machine with script.

Sample nginx config:

location /.well-known {
  gzip off;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_pass http://10.0.2.180:80/.well-known;
}

Why nginx? Because I love nginx. If server outside of your network forward some port from front router to it.

Removing

Run ./delete.sh

Thats all.