Although the standard Letsencrypt process “cerbot” is very easy and runs well on a webserver, sometimes you want to generate certiicates on a old server or a vm not running a web server. This scripot runs well on an old Ubuntu 10.04 vm I have at home.
First get the script –
git clone https://github.com/acmesh-official/acme.sh.git
You might be best to install that on your machine usingh git then copying it over to the machine needing to generate the SSL certificates.
Now move it to a sensible place
cd acme.sh/
mv acme.sh /usr/local/bin
Install a required program
apt-get install socat
This needs done on the machine running the acme script so that obviously that commamnd only works on debian/ubuntu! Other distro’s install socat their own way
Also create a directory for the acme certificates to go. I suggest –
mkdir /etc/acme
To create the first certificates stop your web server (if running) e.g.
/etc/init.d/apache2 stop
Now rub acme.sh for the first time.
acme.sh –issue –standalone –home /etc/acme -d HOSTNAME.org.uk
or if there are multiple addresses for the one domain –
acme.sh –issue –standalone –home /etc/acme -d HOSTNAME.org.uk -d
www.HOSTNAME.org.uk
or even
acme.sh –issue –standalone –home /etc/acme -d HOSTNAME -d
mail.HOSTNAME -d otherservice.HOSTNAME
The —issue asks for a certificate on that domain and –standalone starts a simple server listening on port 80. The –home tells acme.sh to start the certificates under /etc/acme.
NOTE: see the end about using the –staging parameter.
It will create a bunch of directories under /etc/acme
The SSLCertificateFile
/etc/acme/hostname/hostname.cer
The SSLCertificateKeyFile
/etc/acme/hostname/hostname.key
and the SSLCertificateChainFile
/etc/acme/hostname/fullchain.cer
Now start the web server again. Eg –
/etc/init.d/apache2 start
You will want to run this script one a week or so
/usr/local/bin/acme.sh –home /etc/acme –cron
You can run it now to test it without causing any problems.
Something you might like to use the first time (OK a bit late now!) is the “–staging” parameter whe you create your domain certificate. This uses the staging server and allows you to try the service out without issue. If you issue certificates too many times LE will ban your connection for a while. If you are just testing it USE THIS!