HTTPS tool

Shell scripts to enable Let's Encrypt.

For detail, check https://github.com/certbot/certbot

Folder structure

.
├── README.md               # this file
├── build-test.sh           # test creating .pem files. Usage: sudo ./build-test.sh DOMAIN EMAIL
├── build.sh                # create .pem files. Usage: sudo ./build.sh DOMAIN EMAIL DEST
├── install.sh              # install Let's Encrypt client wrapper certbot-auto. Usage: sudo ./install.sh
└── renew.sh                # do cert renewal. Usage: sudo ./cert-renew.sh

Quick start

git clone https://github.com/hankchiutw/https-tool.git
cd https-tool
sudo ./install.sh
sudo ./build.sh [email protected] example.com /data/cert

How it works

Install Let's Encrypt client -> Build .pem files -> (Setup your https server) -> Schedule certification renewal.

install.sh

It will install certbot-auto under /usr/local/bin/. certbot-auto is a wrapped Let's Encrypt client.

To install manually:

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

# do install process
./certbot-auto

build.sh: create .pem files

Provide adminstrator's email(--email) and domain name of current machine(-d).

Use --test-cert first, once ok, use without --test-cert.

./certbot-auto certonly --test-cert --standalone --email [email protected] -d example.com

The certificated files will be stored in /etc/letsencrypt/live/.

Running with Docker

If the above methods with certbot-auto are not applicable, use Docker as descibed here.

sudo docker run -it --rm -p 443:443 -p 80:80 --name certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            quay.io/letsencrypt/letsencrypt:latest auth

But you still need certbot-auto to do renewal.

Renew

The certification will be expired every 90 days. To do renewal:

./certbot-auto renew

For production, schedule renew.sh as a cron event:

# m h dom mon dow user  command
00 00    1 * *   root    /usr/local/renew.sh

Example nginx setting with proxy and SSL

Replace public.ip, public.domain.name and .pem file location in your context.

upstream internal {
    server public.ip:80;
    keepalive 256;
}

server {
    listen         80;
    server_name    public.domain.name;
    return         301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name    public.domain.name;

# HTTPS server

    ssl on;
    ssl_certificate cert/fullchain.pem;
    ssl_certificate_key cert/privkey.pem;

    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass  http://internal/;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

hankchiutw / https-tool Goto Github PK

https-tool's Introduction

HTTPS tool

Folder structure

Quick start

How it works

install.sh

build.sh: create .pem files

Running with Docker

Renew

Example nginx setting with proxy and SSL

References

https-tool's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent