EE-ACME-SH : bash script to manage Let's Encrypt Certs


#1

Hello Everyone,

My contribution for EasyEngine users : ee-acme-sh

A Bash script to install Let’s Encrypt SSL certificates automatically using acme.sh on servers running with EasyEngine

Features

  • Automated Installation of Let’s Encrypt SSL certificates using acme.sh
  • Acme validation with standalone mode or Cloudflare DNS API
  • Domain, Subdomain & Wildcard SSL Certificates support
  • ECDSA Certificates with ECC 384 Bits private key
  • IPv6 Support
  • Automated Certificates Renewal

Issues

I have already run a lot of tests before this first release. If you have any issue with the script, feel free to open a issue on Github


#2

Pardon my ignorance – but how would this script compare to the options for Let’s Encrypt that are already part of EE? Before I started using EE I was using Server Pilot’s free product, which doesn’t include Let’s Encrypt, and found a script called sple.sh that can set up Let’s Encrypt. But for EE, does this bring new features? Thanks


#3

Hello,

yes I have written this script because there was some features missing in the letsencrypt extension of EasyEngine, and it was painful to setup SSL certificates manually.

The main differences are :

  • IPv6 support : if there are IPv6 records on your domain DNS, EE will not be able to generate a SSL certificate
  • subdomains & wildcard support
  • standalone or dns validation, to be compatible with all CMS and nginx configurations.

2048 Bits RSA certificates are also replaced by ECDSA certificates with 384 Bits private key. It provide better encryption with faster SSL negociation.


#4

Thanks for the explanation!


#5

@virtubox hi mate, super thanks for your super work! Super easy!

My problem currently is error 502 and err 525 when loading https://mydomain.tld

This is what I do: step 1 wget -qO ee rt.cx/ee && sudo bash ee

step 2 sudo ee site create mydomain.tld --wpsubdom --wpredis --php7

step 3 cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)

step 4 source .bashrc

step 5 ee-acme-wildcard

fill up everything and all running smooth.

Just my end result is error 525 (SSL handshake failed) and sometime error 502

I’m using cloudflare api, do I missing anything?

I’m looking forward to your favorable reply soon!

Thanks again!


#6

Hello @Louiss,

it’s probably related to old nginx ciphers_suite used by EE, you can replace them with the command :

sed -i 's/ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;/ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;/' /etc/nginx/nginx.conf

Then just reload nginx.
You can also take a look on ubuntu-nginx-web-server, it’s my Github repository to store all my configurations for EasyEngine.


#7

Hi @virtubox mate, thanks for the head up!

May I know is that a command I can directly apply it or I have to do it one by one?


#8

Hello @Louiss,

you can run it directly and then reload nginx, it will be applied on all your sites.


#9

@virtubox , how to run the command ya? sudo ubuntu-nginx-web-server ?


#10

Ah sorry, I haven’t seen there was a typo error in my previous message, and the link wasn’t displayed properly.


#11

@virtubox mate,

I do get this error: -bash: ubuntu-nginx-web-server: command not found

Do I missing something?


#12

@virtubox mate, thanks for saving me. This working fine!


#13

The new release of ee-acme-sh is available : https://github.com/VirtuBox/ee-acme-sh/

I have fully rewritten the script, here the changelog :

  • Unified script with standalone & cloudflare acme validation available
  • Unified command ee-acme to generate a certificate
  • add argument parsing support
  • add usage documentation available with argument --help or -h
  • add verification between each steps to avoid issues
  • do not reload if configuration is incorrect
  • add support for Nginx Mainline release 1.15.x

To install or update the script, just run :

bash <(wget -qO - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)

# enable acme.sh & ee-acme-sh
source .bashrc

#14

@virtubox my tested site database error and I deleted everything then redo again. This time I got error when I wanna reinstall let’s encrypt:

[Tue Sep 25 12:12:43 UTC 2018] Creating domain key [Tue Sep 25 12:12:43 UTC 2018] The domain key is here: /root/.acme.sh/mydomain.tld_ecc/mydomain.tld.key [Tue Sep 25 12:12:43 UTC 2018] Multi domain=‘DNS:mydomain.tld,DNS:.mydomain.tld’ [Tue Sep 25 12:12:43 UTC 2018] Getting domain auth token for each domain [Tue Sep 25 12:12:45 UTC 2018] Getting webroot for domain=‘mydomain.tld’ [Tue Sep 25 12:12:45 UTC 2018] Getting webroot for domain=’.mydomain.tld’ [Tue Sep 25 12:12:45 UTC 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh [Tue Sep 25 12:12:46 UTC 2018] invalid domain [Tue Sep 25 12:12:46 UTC 2018] Error add txt for domain:_acme-challenge.mydomain.tld [Tue Sep 25 12:12:46 UTC 2018] Please add ‘–debug’ or ‘–log’ to check more details. [Tue Sep 25 12:12:46 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh acme.sh failed to issue certificate

Can you have a look please?


#15

Hello @Louiss, have you use the wildcard mode or the standard domain mode ?


#17

@virtubox i’m using wildcard mode

update: due to my carelessness, the problem is I putting in the wrong cloudflare acc.


#18

Okay, let me know if it work properly because it can also be an error in the script


#19