[TriLUG] test

Lance A. Brown via TriLUG trilug at trilug.org
Tue Jun 7 10:15:29 EDT 2016 

Alan Porter via TriLUG wrote on 6/6/2016 8:11 PM:
> On a side note, recently, I have been looking at "Let's Encrypt" and it
> looks very promising.  It's a free service, spearheaded by Mozilla and
> Cisco (my current employer, incidentally).  My personal domains are
> using LetsEncrypt certs.  For simple web sites, it's super easy to set
> up.  I hit a small snag on the IPv6-only domain
> https://ipv6.alanporter.com/, but other than that, it went well.  I have
> not renewed yet... the certs last 90 days and can be renewed after 60. 
> So I am anxious to see if that's as simple as they claim (cron job,
> anyone?).  Let's Encrypt was featured on the cover of this month's Linux
> Journal (e-)magazine (although their article dove into using docker to
> insulate themselves from any side effects of the scripts, so I thought
> it was not as approachable as an article on "free, easy SSL certs"
> should have been).

I've been using Let's Encrypt certificates on my servers for a few
months now: my personal email server (postfix/dovecot), and a linode
with several websites.  The only real problem was CentOS6.  When I set
things up, LE didn't support python 2.6 so I had to get python 2.7
working properly.  I believe LE runs on python 2.6 now.

I use this /etc/cron.d entry to renew my certs:

# Run renew-letsencrypt on the 1st of every odd month
30 0 1 */2 * root /usr/local/libexec/renew-letsencrypt

and /usr/local/libexec/renew-letsencrypt:

#!/bin/sh

# renew certificate
scl enable python27 -- bash /usr/local/letsencrypt/letsencrypt-auto \
   certonly --debug \
   --config /etc/letsencrypt/circle.dyn.bearcircle.net.ini
# restart services to pick up new cert
service postfix restart
service dovecot restart

I'm on CentOS6 so I scl python27 to run the letsencrypt-auto script

and circle.dyn.bearcircle.net.ini:

# the default is 2048 (more is better)
rsa-key-size = 4096
# plugin
authenticator = webroot
# webroot
webroot-path = /var/www/html
# domains
domains = den2.bearcircle.net
# flags
# renew is good for automation
renew-by-default

I run apache on that server so it's easy to use the webroot LE
authenticator.

Hope this helps.

--[Lance]

More information about the TriLUG mailing list