let's encrypt

February 6, 2020 @ 20:40

These days, everyone should be using SSL to secure, well, everything. It used to be that SSL certificates were really expensive, but with free providers like Let's Encrypt, there's not much excuse anymore.

Well... sorta.

In theory this is really easy to do, and easy to automate. In practice, well, a lot of the tools just plain suck, or they're designed for the most basic use-case and the most commonly used DNS providers. Or, they expect you use the certificate for a public website.

In my case, I have a number of private websites in addition to this one, and Postfix and Dovecot for my email. So I have to generate a few certificates, and then copy them to several machines and restart a bunch of daemons.

Also, for various reasons, I'm still using djbdns for my DNS, and so I've got to do things a little manually.

Here's my renew script, simply just call it with a list of domain names:

#!/bin/bash

function join {
    for arg in $*; do
        echo -n "-d $arg "
    done
    echo
}
domains=$(join $*)

certbot certonly --manual --preferred-challenges=dns \
                 --manual-auth-hook ~/bin/certbot-auth.sh \
                 --manual-public-ip-logging-ok --agree-tos \
                 $domains

That join function is a bit of a hack, but hey, it works.

Here's the auth-hook script - it generates a record suitable for import into djbdns and copies that to my server into the right place.

#!/bin/bash

rec="_acme-challenge.${CERTBOT_DOMAIN}"
echo "'${rec}:${CERTBOT_VALIDATION}:300" > /tmp/${rec}
scp -i ~/.ssh/id_rsa /tmp/${rec} dns@myserver:/var/dns/extdns/root/dynamic/

sleep 30

That sleep there gives me 30 seconds to go manually run the "regenrate" process there, but this is better than nothing.