INFO: Please update to 0.3 – otherwise renewal will not work.
I was subsequently adding more and more hosts, so to enable https on those hosts, I kept adding domains to the let’s encrypt cli.ini (domains variable). This lead to having one chaotic set of domains that were all linked to the first domain in the list. After some iterations, I could not add any new domains, because I was caught in the rate-limit, that Let’s Encrypt imposes on their users during this public beta.
I started writing scripts to manage multiple sets, so I can now proudly present the ULEM: Uberspace Let’s Encrypt Manager. It consists of 3 shell scripts and 2 .ini files.
cli.ini.example (Please rename to cli.ini)
This is basicaly the cli.ini that was generated by uberspace-letsencrypt. Please note that I uncommented that the TOS has been accepted – also you need to set a proper email address and paths as set in the real ~/.config/letsencrypt/cli.ini. If you have made any additional changes, please also transfer it to this file. You may notice, that it is lacking the domains part. This is intended.
sets.ini.example (Please rename to sets.ini)
Here you can specify different sets, those will result into different certificates which you can then install in the load-balancer.
name_of_set = domain1,domain2,domain3
See the file for an example. Please note that the first domain in that list will be also the name of the folder in ~/.config/letsencrypt/live/ folder.
With this script, you can get the certificate for a certain set rather than all domains at once. This has the advantage, that you have manageable sets of domains connected to one certificate rather than all your domains on a single certificate.
Usage: ./ulem_request_set.sh name_of_set
This will move the original cli.ini to cli.ini.ulem, create a new one based on this package’s cli.ini and the selected set, run letsencrypt certonly and restore the original cli.ini.
You want to do this for every set, that you add or change. You wil have to select to overwrite your certificates for this script to work properly.
This script is a shortcut to upload the generated certificate with uberspace-prepare-certificate. The advantage of using this script is, that you can specify the set that you just created or updated.
Usage: ./ulem_activate_set.sh name_of_set
You want to run this every time you ran ./ulem_request_set.sh name_of_set
This script will check the certificates on the first domain of every set and automatically renew it, if the certificate expires in 28 days or less. To do that, just execute ./ulem_renew_all.sh and it will do the rest for you. If you don’t want it to renew a specific set, you can comment it out in sets.ini with a #.
It might be a good idea to run this script daily, i.e. via cron. If the certificates don’t have to be renewed, nothing will be done.
MAILTO="firstname.lastname@example.org" 30 4 * * * /path/to/ulem_renew_all.sh
Basically ulem_request_set.sh but set to be non-interactive, so the cronjob will work without user input.
If you can’t be bothered to find the sets.ini, you can run this command to see the names of your sets.
Download and changelog
- ulem-0.3.tar.bz2 (sig) (2016-04-07)
- Changed .ini filenames to .ini.example to avoid overwriting of your config files on update
- Removed –agree-dev-preview from configuration examples
- Changed renew routine to adapt missing letsencrypt-renewer script which was previously provided
- ulem-0.2b.tar.bz2 (sig) (2016-02-28)
- Added LC_ALL=”en_US” as per comment’s suggestion.
- ulem-0.2a.tar.bz2 (sig) (2016-02-03)
- This is Bugfix Release 0.1a all over again. Turns out I missed one spot. This finally fixes this potential issue everywhere.
- ulem-0.2.tar.bz2 (sig) (2016-02-02)
- Changed uberspace-prepare-certificate to uberspace-add-certificate
- Handling of renewal changed slightly. Since letsencrypt-renewer renews all domain-sets, ulem_renew_all.sh will only call letsencrypt-renewer once if any domain needs updating.
- ulem-0.1b.tar.bz2 (sig) (2016-02-01)
- Script would fail on non-English environments for months that are abbreviated differently. Fixed by adding LANG=”en_US” to the curl call. (Comment #4 has details)
- ulem-0.1a.tar.bz2 (sig) (2016-01-28)
- Set names could collide if you had set1 and set1_subset. Fixed by adding a space to the grep. Whitespace after set-name in sets.ini is required.
- ulem-0.1.tar.bz2 (sig) (2016-01-27)
- Make verbosity configurable for ulem_renew_all.sh
- Remove the need to maintain a sparate cli.ini and take everything from the supplied one, to be used as command line parameters
If you have any questions, found bugs or just want to say thank you, the comments or my jabber at email@example.com are the best way to be heard. Don’t be shy if there is something unclear, this is the first time I am trying to describe my little helpers and make it useable for others.
Free for all, attribution and beer on congress appreciated.