2 Simplest shell script for LetsEncrypt free Certificate client
4 Simple and Powerful, you only need 3 minutes to learn.
6 Pure written in bash, no dependencies to python, acme-tiny or LetsEncrypt official client.
7 Just one script, to issue, renew your certificates automatically.
9 Probably it's the smallest&easiest&smartest shell script to automatically issue & renew the free certificates from LetsEncrypt.
11 Do NOT require to be `root/sudoer`.
16 3. Windows (cygwin with curl, openssl and crontab included)
18 5. pfsense with bash and curl
29 1. Clone this project: https://github.com/Neilpang/le.git
35 You don't have to be root then, although it is recommended.
38 * create and copy `le.sh` to your home dir: `~/.le`
39 All the certs will be placed in this folder.
40 * create alias : `le.sh=~/.le/le.sh` and `le=~/.le/le.sh`.
41 * create everyday cron job to check and renew the cert if needed.
43 After install, you must close current terminal and reopen again to make the alias take effect.
45 Ok, you are ready to issue cert now.
49 https://github.com/Neilpang/le
51 Usage: le.sh [command] ...[args]....
55 Install le.sh to your system.
59 Install the issued cert to apache/nginx or any other server.
65 Uninstall le.sh, and uninstall the cron job.
69 Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
71 Uninstall the cron job. The 'uninstall' command can do this automatically.
73 Create an account private key, professional use.
75 Create an domain private key, professional use.
77 Create CSR , professional use.
80 root@v1:~/le# le issue
81 Usage: le issue webroot|no|apache|dns a.com [www.a.com,b.com,c.com]|no [key-length]|no
86 Set the param value to "no" means you want to ignore it.
88 For example, if you give "no" to "key-length", it will use default length 2048.
90 And if you give 'no' to 'cert-file-path', it will not copy the issued cert to the "cert-file-path".
92 In all the cases, the issued cert will be placed in "~/.le/domain.com/"
99 le issue /home/wwwroot/aa.com aa.com
103 Multiple domains in the same cert:
106 le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com
109 First argument `/home/wwwroot/aa.com` is the web root folder, You must have `write` access to this folder.
111 Second argument "aa.com" is the main domain you want to issue cert for.
113 Third argument is the additional domain list you want to use. Comma separated list, which is Optional.
115 You must point and bind all the domains to the same webroot dir:`/home/wwwroot/aa.com`
117 The cert will be placed in `~/.le/aa.com/`
119 The issued cert will be renewed every 80 days automatically.
121 # Install issued cert to apache/nginx etc.
123 le installcert aa.com /path/to/certfile/in/apache/nginx /path/to/keyfile/in/apache/nginx /path/to/ca/certfile/apache/nginx "service apache2|nginx reload"
126 Install the issued cert/key to the production apache or nginx path.
128 The cert will be renewed every 80 days by default (which is configurable), Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`
131 # Use Standalone server to issue cert (requires you be root/sudoer, or you have permission to listen tcp 80 port):
132 Same usage as all above, just give `no` as the webroot.
133 The tcp `80` port must be free to listen, otherwise you will be prompted to free the `80` port and try again.
136 le issue no aa.com www.aa.com,cp.aa.com
139 # Use Apache mode (requires you be root/sudoer, since it is required to interact with apache server):
140 If you are running a web server, apache or nginx, it is recommended to use the Webroot mode.
141 Particularly, if you are running an apache server, you can use apache mode instead. Which doesn't write any file to your web root folder.
143 Just set string "apache" to the first argument, it will use apache plugin automatically.
146 le issue apache aa.com www.aa.com,user.aa.com
148 All the other arguments are the same with previous.
152 Support the latest dns-01 challenge.
155 le issue dns aa.com www.aa.com,user.aa.com
158 You will get the output like bellow:
160 Add the following txt record:
161 Domain:_acme-challenge.aa.com
162 Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
164 Add the following txt record:
165 Domain:_acme-challenge.www.aa.com
166 Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
169 Please add those txt records to the domains. Waiting for the dns to take effect.
171 Then just retry with 'renew' command:
180 #Automatic dns api integeration
182 If your dns provider supports api access, we can use api to automatically issue certs.
183 You don't have do anything manually.
185 ###Currently we support:
187 1. Cloudflare.com api
190 4. AWS Route 53, see: https://github.com/Neilpang/le/issues/65
192 More apis are coming soon....
194 If your dns provider is not in the supported list above, you can write your own script api easily.
196 For more details: [How to use dns api](dnsapi)
199 # Issue ECC certificate:
200 LetsEncrypt now can issue ECDSA certificate.
201 And we also support it.
203 Just set the `length` parameter with a prefix `ec-`.
208 le issue /home/wwwroot/aa.com aa.com no ec-256
211 SAN multiple domains:
213 le issue /home/wwwroot/aa.com aa.com www.aa.com,cp.aa.com ec-256
216 Please look at the last parameter above.
220 1. ec-256 (prime256v1, "ECDSA P-256")
221 2. ec-384 (secp384r1, "ECDSA P-384")
222 3. ec-521 (secp521r1, "ECDSA P-521", which is not supported by letsencrypt yet.)
228 Speak ACME language with bash directly to Let's encrypt.
234 1. Acme-tiny: https://github.com/diafygi/acme-tiny
235 2. ACME protocol: https://github.com/ietf-wg-acme/acme
236 3. letsencrypt: https://github.com/letsencrypt/letsencrypt
244 Please Star and Fork me.
246 Issues and pull requests are welcomed.