EE-ACME-SH : bash script to manage Let's Encrypt Certs


#1

Hello Everyone,

My contribution for EasyEngine users : ee-acme-sh

A Bash script to install Let’s Encrypt SSL certificates automatically using acme.sh on servers running with EasyEngine

Features

  • Automated Installation of Let’s Encrypt SSL certificates using acme.sh
  • Acme validation with standalone mode or Cloudflare DNS API
  • Domain, Subdomain & Wildcard SSL Certificates support
  • ECDSA Certificates with ECC 384 Bits private key
  • IPv6 Support
  • Automated Certificates Renewal

Issues

I have already run a lot of tests before this first release. If you have any issue with the script, feel free to open a issue on Github


#2

Pardon my ignorance – but how would this script compare to the options for Let’s Encrypt that are already part of EE? Before I started using EE I was using Server Pilot’s free product, which doesn’t include Let’s Encrypt, and found a script called sple.sh that can set up Let’s Encrypt. But for EE, does this bring new features? Thanks


#3

Hello,

yes I have written this script because there was some features missing in the letsencrypt extension of EasyEngine, and it was painful to setup SSL certificates manually.

The main differences are :

  • IPv6 support : if there are IPv6 records on your domain DNS, EE will not be able to generate a SSL certificate
  • subdomains & wildcard support
  • standalone or dns validation, to be compatible with all CMS and nginx configurations.

2048 Bits RSA certificates are also replaced by ECDSA certificates with 384 Bits private key. It provide better encryption with faster SSL negociation.


#4

Thanks for the explanation!


#5

@virtubox hi mate, super thanks for your super work! Super easy!

My problem currently is error 502 and err 525 when loading https://mydomain.tld

This is what I do: step 1 wget -qO ee rt.cx/ee && sudo bash ee

step 2 sudo ee site create mydomain.tld --wpsubdom --wpredis --php7

step 3 cd && bash <(wget --no-check-certificate -O - https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh)

step 4 source .bashrc

step 5 ee-acme-wildcard

fill up everything and all running smooth.

Just my end result is error 525 (SSL handshake failed) and sometime error 502

I’m using cloudflare api, do I missing anything?

I’m looking forward to your favorable reply soon!

Thanks again!


#6

Hello @Louiss,

it’s probably related to old nginx ciphers_suite used by EE, you can replace them with the command :

sed -i 's/ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;/ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;/' /etc/nginx/nginx.conf

Then just reload nginx.
You can also take a look on ubuntu-nginx-web-server, it’s my Github repository to store all my configurations for EasyEngine.


#7

Hi @virtubox mate, thanks for the head up!

May I know is that a command I can directly apply it or I have to do it one by one?


#8

Hello @Louiss,

you can run it directly and then reload nginx, it will be applied on all your sites.


#9

@virtubox , how to run the command ya? sudo ubuntu-nginx-web-server ?


#10

Ah sorry, I haven’t seen there was a typo error in my previous message, and the link wasn’t displayed properly.


#11

@virtubox mate,

I do get this error: -bash: ubuntu-nginx-web-server: command not found

Do I missing something?


#12

@virtubox mate, thanks for saving me. This working fine!