srvrco / getssl Goto Github PK

I'm getting an issue when trying to get an ssl certificate it says:

for some reason could not reach http://example.com/.well-known/acme-challenge/z3aLptRJhGLHBw-Nb_sizrTcCCcGItXRp16vEMVGwlM - please check it manually.

I'm not sure where is the problem, here is the configuration file:

# Uncomment and modify any variables you need
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"`
# Set an email address associated with your account - generally set at account level rather than domain. ACCOUNT_EMAIL="[email protected]" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/root/.getssl/account.key" PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.example.com
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge' 'ftp:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge')
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the A$
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # The time period within which you want to allow renewal of a certificate # this prevents hitting some of the rate limits. RENEW_ALLOW="30"
# Define the server type. This can either be a webserver, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#CHECK_REMOTE="true"
# Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= #AUTH_DNS_SERVER="" #DNS_WAIT=10 #DNS_EXTRA_WAIT=60`

Hopefully someone here can help with this issue.

create-getssl-config mentions at the start that just pressing enter uses the default. At least for the Additional domain names a.k.a. SANS question, empty is a perfectly valid and reasonable answer. Please print something to tell the user about '' or "" as input for empty values.

I defined WORKING_DIR in my account getssl.cfg and did not define it at domain level.

Running getssl -c did not create folders below this directory. But in the default.

Looks like in getssl's DOMAIN_DIR is defined before the new WORKING_DIR is got out of the config file an then isn't also defined new :-/

On box Slackware 12 with some packages from Slackware 13:

1. curl package from Slackware 13 should be installed. When there is curl from 12 getssl always gets TEMP_DIR lost (deleted? it complains about absence of tmp/curl.header file). Probably, some curl option is missing in older curl. Curl 7.19.6 from Slackware 13 is OK.
2. GNU grep 2.5.3 can not grep properly with -o and .* pattern files with CRLF line feeds and http headers are such. So, please remove -o option, as it's redundant and not needed anyway.

-CertData=$(os_grep -i -o '^Location.*' "$CURL_HEADER" |os_sed 's/\r//g'| cut -d " " -f 2)
+CertData=$(os_grep -i '^Location.*' "$CURL_HEADER" |os_sed 's/\r//g'| cut -d " " -f 2)

1. Also, it's useful is to call RELOAD_CMD with eval instead of just $RELOAD_CMD, because, this way I can add multiple commands into it. It's useful when you can not just apachectl restart older apache (Apache/2.2.10), because, it forgets that it was started with startssl and there is no 'restartssl', but plain 'restart' somehow does not restarts ssl properly and it not gets certificates updates or ssl wasn't started at all (depending on luck). Thus, I want to do RELOAD_CMD="apachectl stop; sleep 3; apachectl startssl". But, this does not work when you run RELOAD_CMD with just $RELOAD_CMD, and work good when you do eval $RELOAD_CMD.

-      $RELOAD_CMD
+      eval "$RELOAD_CMD"

Thanks,

This isn't really an issue, and I have not idea how to really use github to suggest this, but I wanted to copy the .crt files to more than one place, one locally, and another on an remote server via scp, so I added a bit of code to put a loop in copy_file_to_location(). It's probably not very elegant, but it does the job for me. Perhaps you can make it more efficient and add it to your script?

copy_file_to_location() { # copies a file, using scp if required.
  cert=$1   # descriptive name, just used for display
  from=$2   # current file location
  #to=$3     # location to move file to.
  fullto=$3     # location to move file to.
  for to in ${fullto}
  do
    to=$(echo ${to}|sed -e 's/ //g') # this gets rid of the space after each destination, if there is one
    #
    # body of function unaltered
    #
  done
}

I then changed the config file as follows:
DOMAIN_CERT_LOCATION="/etc/certs/LE/test ssh:remote:/etc/certs/LE/test"

While trying to generate a new certificate from the Let's Encrypt staging server, I get the following output:

Registering account
Verify each domain
Verifing example.com
./getssl: line 890: /home/jbooker/.getssl/example.com/tmp/: Is a directory
copying challenge token to /var/www/html/www.example.com/.well-known/acme-challenge/
cp: omitting directory `/home/jbooker/.getssl/example.com/tmp/'
getssl: cannot copy /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/

In looking at the output from --debug, I'm noticing that the http01, token, and uri variables are all empty, which then causes line 890 to run cp on the whole directory. The debug output:

code 201
completed send_signed_request
http01
token
uri
keyauthorization <redacted>
./getssl: line 890: /home/jbooker/.getssl/example.com/tmp/: Is a directory
copying file from /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge
copying challenge token to /var/www/html/www.example.com/.well-known/acme-challenge/
copying from /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/
cp: omitting directory `/home/jbooker/.getssl/example.com/tmp/'
getssl: cannot copy /home/jbooker/.getssl/example.com/tmp/ to /var/www/html/www.example.com/.well-known/acme-challenge/

If it helps, this is an older CentOS 5 / RHEL 5 system.

As requested, I repost the issue here (1.25, 1.26 and 1.27 have the same behavior)

Message:
Expires: Wed, 03 Aug 2016 18:15:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 110
Boulder-Request-Id: FeRDzOzJKyjgO5wXc9oF7gFdWskCJ_GymlPEDS9yC94
Replay-Nonce: 47KMBxhmvqyytQJeCR3sD-Y1_mrh6mXLC3yuSLwvYO4
Expires: Wed, 03 Aug 2016 18:15:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 03 Aug 2016 18:15:04 GMT
Connection: close
response {
"type": "urn:acme:error:malformed",
"detail": "Request payload did not parse as JSON",
"status": 400
}
code 400
getssl: Error registering account

I attach the config files (main + domain) below.
Command are performed locally on the web server which is perfectly reachable from the internet (other sites work with ssl on the same box/ip.

Than you help, this is a great project

global_getssl.txt
domain_getssl.txt

Would be nice to have file with certificates chain in addition to having chain and certificate separately.
It is basically just chain.crt appended to example.com.crt, but will allow to point web/mailserver right there and do not write boilerplate for copying files on every setup.

Using getssl 1.25 I got

response {
  "type": "urn:acme:error:malformed",
  "detail": "Request payload did not parse as JSON",
  "status": 400
}

apparently because $AGREEMENT had a ^M appended by the code that updates the variable. Setting AGREEMENT specifically in getssl.cfg (not letting the script set it) it works.

I have Nginx reverse proxy on server that handles almost all TLS-related stuff for multiple Docker containers. For simplicity I'd like to point .well-known/acme-challenge for every supported domain to the same directory.

Would be nice if script pick first element in ACL variable if necessary index doesn't exists.

For instance, following should work:

SANS="s0.example.com,s1.example.com"
ACL=('/etc/nginx/acme-challenge')

Or even better, having ACL=('/etc/nginx/acme-challenge') in main config would be really nice.

And every virtual host in Nginx will have:

location /.well-known/acme-challenge {
    alias /etc/nginx/acme-challenge;
}

This would greatly unify virtual hosts.

There is a problem at line 712 that prevents setting the port for "other server".
The current line is
REMOTE_PORT=SERVER_TYPE
but should be
REMOTE_PORT=${SERVER_TYPE}

Hi,
doing getssl -f ... gets a new cert. The key remains the same. Does getssl renew the private keys some when? Is there, or can there be, a config setting like NEW_PRIVATE_KEY to automatically renew it every X days for the whole account and for the specific domain in the domain config.

It would be nice if private keys were not readable by others by default. E.g. before openssl genrsa etc, set umask 077 and restore it afterwards.

the script getssl/dns_scripts/dns_del_pdns-mysql doesn't delete the record _acme-challenge.

$ getssl EXAMPLE.co.uk
/home/USER/.getssl/EXAMPLE.co.uk/getssl.cfg: line 66: unexpected EOF while looking for matching `"'
/home/USER/.getssl/EXAMPLE.co.uk/getssl.cfg: line 69: syntax error: unexpected end of file
archiving old certificate file to /home/USER/.getssl/EXAMPLE.co.uk/EXAMPLE.co.uk.crt_2016-04-27_2016-07-26
Registering account
Verify each domain
Verifing pickle-it.co.uk
getssl: ACL location not specified for domain EXAMPLE.co.uk in /home/USER/.getssl/pickle-it.co.uk/getssl.cfg

issues:

1. I don't a line 69.
2. re: line 66 error - it seems that any commented out variable (with anything after the "=" sign), causes a syntax error.
3. ACL location not specified for domain EXAMPLE.co.uk in /home/USER/.getssl/pickle-it.co.uk/getssl.cfg - I have double checked that I have the correct number of ACLs listed and that the first line is for the domain; but the issue still occurs.
4. no key, cert or ACL files are being written.

My test/development server uses port 7800 for HTTP and 7440 for HTTPS. (My production server at the same IP address uses the standard ports of 80 and 443.) I need to use getssl against my test/development server, but even though I change "webserver" to "7440", it seems to be checking against 443 (my productin server), where it finds an SSL certificate from another source. I'm trying to set up with letsencrypt.org, but need to prove it out on my test/development server first before changing my production server.

Should I be specifying the HTTP port (7800) instead of the HTTPS port (7440), or is there another (undocumented) trick to doing this?

Thanks in advance - Jack

From what I understand ACL is actually required.
However, there is nothing about it explicitly in readme, so when using default config verification fails.

If umask is too restrictive (in my case it is 0077) copy_file_to_location() will cp the challenge token probably with insufficient permissions. The script should make sure permissions of the challenge token include "world readable".

Version 1.25 of getssl does chmod 755 "$TEMP_DIR/$token" but copy_file_to_location() uses cp without -p, hence a new file with new permissions is created.

BTW, is there a specific reason why 755 is used for a plain file rather 0644?

When I run DNS validation, the extra DNS_DEL_COMMAND in cleanup() means that one too many DNS_DEL_COMMAND are run. In a normal run, the dns add and delete are run each in turn, then an extra call to delete happens, which doesn't actually delete anything. If I remove the DNS_DEL_COMMAND from cleanup() it doesn't run the extra delete, and still tidies up the dns entries, but I'm not sure that this won't cause problems under different conditions.

In fact, the extra delete is run even when the script does run because the 30 day limit has not been met:

$ ./getssl example.co.uk
certificate for example.co.uk is still valid for more than 30 days (until Sep 11 10:25:00 2016 GMT)
###################################
# this is the output from my dns-delete.sh script:
# dns-del.sh :
fulldomain=
full command options : 
Nothing to delete
###################################
$

I'm trying to get a certificate for s simple website, but obviously missed something along the way. I run
getssl -d valdez.seos.uvic.ca

and get a lot of messages (some of which I assume is private) and the script dies at:

HTTP/1.1 400 Bad Request
Seve: nginx
Content-Type: application/poblem+json
Content-Length: 96
Boulde-Request-Id: K38nGSwtV9FEDvdut4U_X0cLo2DxtcFt8y-miG0e7PM
Replay-Nonce: GzAWOzPm4nhwRBALTSGIZv966XcgikiVcqzOvB6xb0
Expies: Thu, 16 Jun 2016 18:30:34 GMT
Cache-Contol: max-age=0, no-cache, no-stoe
Pagma: no-cache
Date: Thu, 16 Jun 2016 18:30:34 GMT
Connection: close

response {
  "type": "urn:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400
}
code 400
getssl: Error registering account

I could send the whole request, but maybe it is obvious that I've not done something correctly.

For example (no pun intended), I have 'example.co.uk' and 'example.co' as a SAN. The grep in getssl (line 841) finds two entries for DNS:example.co because it finds example.co.uk and example.co.

Because of this "failure" of the grep the variable "domain_in_csr" holds two values and the csr is regenerated:

existing csr at /andy/.getssl/example.co.uk/example.co.uk.csr does not contain example.co - re-create-csr

I put |tail -1 on the end of the grep to fix it, but there's probably a more elegant way to do it...

In order to check the certificate, the command line should be openssl s_client -servername "${DOMAIN}" -connect "${DOMAIN}:${REMOTE_PORT}" < /dev/ null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

With the actual command line, result contains more than fingerprint and the check failed. Exemple of actual result :
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = foo.bar.net verify return:1 DONE SHA1 Fing

in your repository description you have a typo: LetsEncryot

The prompt for the DNS delete command is wrong.

Hi.
I am trying to generate certificates for two domains (I have removed the real domains, just in case)

• test.example.com
• rest.test.example.com

Inside the .getssl/test.example.com/getssl.cfg I have changed the following values:

SANS=test.example.com,rest.test.example.com

ACL=('/var/www/test.example.com/web/.well-known/acme-challenge'
      '/var/www/rest.test.example.com/.well-known/acme-challenge')

When I run ./getssl -w /opt/.getssl test.example.com I get the following output:

no certificate obtained from host
existing csr at /opt/.getssl/test.example.com/test.example.com.csr does not contain test.example.com - re-create-csr .... test.example.com
test.example.com
existing csr at /opt/.getssl/test.example.com/test.example.com.csr does not contain test.example.com - re-create-csr .... test.example.com
test.example.com
Registering account
Verify each domain
Verifing test.example.com
copying challenge token to /var/www/test.example.com/web/.well-known/acme-challenge/rS0GLxc5lRSVXCUMq5NhjH9T9jXTM1w6Ci5wAu****
Pending
Verified test.example.com
Verifing test.example.com
copying challenge token to /var/www/test.rest.example.com/.well-known/acme-challenge/Zm4dK3o-z66gB8QiNAVKT8ckvyWaQx8LOXM4K****
getssl: for some reason could not reach http://test.example.com/.well-known/acme-challenge/Zm4dK3o-z66gB8QiNAVKT8ckvyWaQx8LOXM4K**** - please check it manually

It seems to register only the main domain, so it tries to test both both certificates on the main domain, but it saves the two challenge tokens in different folders, so the secondary domain is not called, and therefore the token for the second domain cannot be found.

Am I misunderstanding something, or is there something wrong in this scenario?

I don't know whether it is too much for getssl to ask for a client-certificate generation option using the created server-certificate. For example:
getssl -client yourdomain.com
or
getssl -client -p12 yourdomain.com
for a client-certificate in PKCS#12 format.

Performing something like this:
Client name?
mkdir -p /DOMAIN_DIR/clients/client_name
genrsa -des3 -out client_name.key
openssl req -new -key client_name.key -out client_name.req
openssl ca -cert /DOMAIN_DIR/DOMAIN.crt -keyfile /DOMAIN_DIR/DOMAIN.key -out client_name.crt -in client_name.req

If set -p12:
openssl pkcs12 -export -inkey client_name.key -name "client_name" -in client_name.crt -certfile /DOMAIN_DIR/DOMAIN.crt -out client_name.p12

Thanks for sharing your script! Really appreciated.

One thing, today when I tried to renew my license, I got an error back - an empty one. I did an attempt at staging, and that was successful, after I found out about your new setting for https. The debugging mode was helpful, because it did not work afterwards on the actual server.

Debugging info showed that the letsencrypt server was using http not https. Not sure why that was a problem, or whether that has anything to do with your script... perhaps you might know. I worked around by re-including the request part of the uri in my redirect.

Best,
Jeroen

If I run this:

/.scripts/getssl -u -a -q

I get some output that looks like its from apache, and then it exits:

Usage: apache2 [-D name] [-d directory] [-f file]
               [-C "directive"] [-c "directive"]
               [-k start|restart|graceful|graceful-stop|stop]
               [-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
  -D name            : define a name for use in <IfDefine name> directives
  -d directory       : specify an alternate initial ServerRoot
  -f file            : specify an alternate ServerConfigFile
  -C "directive"     : process directive before reading config files
  -c "directive"     : process directive after reading config files
  -e level           : show startup errors of level (see LogLevel)
  -E file            : log startup errors to file
  -v                 : show version number
  -V                 : show compile settings
  -h                 : list available command line options (this page)
  -l                 : list compiled in modules
  -L                 : list available configuration directives
  -t -D DUMP_VHOSTS  : show parsed vhost settings
  -t -D DUMP_RUN_CFG : show parsed run settings
  -S                 : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
  -t -D DUMP_MODULES : show all loaded modules 
  -M                 : a synonym for -t -D DUMP_MODULES
  -t                 : run syntax check for config files
  -T                 : start without DocumentRoot(s) check
  -X                 : debug mode (only one worker, do not detach)

If I remove -q , it still gives me that apache output, but it completes the check:

me@mine:~# ~/.scripts/getssl -u -a

Check all certificates
Usage: apache2 [-D name] [-d directory] [-f file]
               [-C "directive"] [-c "directive"]
               [-k start|restart|graceful|graceful-stop|stop]
               [-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
  -D name            : define a name for use in <IfDefine name> directives
  -d directory       : specify an alternate initial ServerRoot
  -f file            : specify an alternate ServerConfigFile
  -C "directive"     : process directive before reading config files
  -c "directive"     : process directive after reading config files
  -e level           : show startup errors of level (see LogLevel)
  -E file            : log startup errors to file
  -v                 : show version number
  -V                 : show compile settings
  -h                 : list available command line options (this page)
  -l                 : list compiled in modules
  -L                 : list available configuration directives
  -t -D DUMP_VHOSTS  : show parsed vhost settings
  -t -D DUMP_RUN_CFG : show parsed run settings
  -S                 : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
  -t -D DUMP_MODULES : show all loaded modules 
  -M                 : a synonym for -t -D DUMP_MODULES
  -t                 : run syntax check for config files
  -T                 : start without DocumentRoot(s) check
  -X                 : debug mode (only one worker, do not detach)
certificate for mydomain.com is still valid for more than 30 days (until Sep 30 18:01:00 2016 GMT)

Simple HTTP validation needs to support https, for sites that are https only. I believe this is only for the part where script checks against the domain itself using curl.

Right now, this line forces the request to be http only:
wellknown_url="http://$d/.well-known/acme-challenge/$token"

Perhaps a config value in getssl.cfg to specificy http or https?

I do get a domain.crt file, but no domain.key. Also, getssl domain said that the certificate is still valid from the very first run. I never got the output as in the docs.

(any reference to 'domain' is to be read as the relevant fqdn)

The get_os() function identifies Darwin correctly (i.e. os="mac") but the

if [[ "$os" == "mac" ]]; then
gdate "${@}"
else
date "${@}"
fi

check seems to be backwards. I do not know if ggrep, gsed, or gdate are ubiquitous on all other supported platforms. My initial thought is that all of the if [[ "$os" == "mac" ]]; checks can be done away with.

As I'm trying this I get:
getssl: for some reason could not reach http://domain.com/.well-known/acme-challenge/key - please check it manually

I can visit the page it provides just fine, and the domain has not had any DNS changes in weeks so there's no propagation. What is this using to verify the file, since visiting it in a browser works?

I created this files

abf.openmandriva.org.crt
abf.openmandriva.org.csr
abf.openmandriva.org.key
chain.crt

But nginx
says
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found

Looks like need to add fulchain cert or something else.

I looked into the code of getssl

cat "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}_chain.pem"
copy_file_to_location "full pem" "$TEMP_DIR/${DOMAIN}_chain.pem"  "$DOMAIN_CHAIN_LOCATION"
cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}.pem"
copy_file_to_location "full pem" "$TEMP_DIR/${DOMAIN}.pem"  "$DOMAIN_PEM_LOCATION"

But for unknown reasons this files never been created.

The LICENSE file is GPLv2, but individual files say GPLv3 in the header.

Are GPLv2 terms available, or only v3 and later?

Hi,

for me it would be a very helpful feature to be able to choose different information levels. For example

-i 0 <= no info (quiet = -q)
-i 1 <= show all severe errors (dir not found, no permission to ..., config not found, openssl error messages, ...)
-i 2 <= show all severe errors + getssl update infos
-i 3 <= show all severe errors + getssl update infos + cert update success info
-i 4 <= show all severe errors + getssl update infos + cert update success info + RELOAD_CMD or server-restart success info
....
-i 9 <= show all infos (debugg = -d)

The reason is, that I don't want to get every day an email saying "Check all certificates: Certificate for mydomain.com is still valid for more than XX days ...", but I want to be informed by email when getssl got an severe error, so I can check whats wrong, when getssl was updated, so I can give a look at the new things, and I want to know when my certificates were updated, so I can look if everything is still running without problems.

Would be a nice feature, if you have the time to do it ;-)

In the spirit of Let's Encrypt, which uses Apache License 2.0, I'd like to discuss relicensing to a more permissive license. Naturally, @srvco, as the primary author the choice of GPLv2 was yours to make. As a contributor, do prefer a more permissive licenses though.

As an alternative to Apache License 2.0, you might prefer MPLv2, which keeps the copyleft nature for the included files. Since they're only shell scripts, the GPL's in-memory clause doesn't really apply anyway. MPLv2 wouldn't significantly alter the copyleft status of the included files. In my opinion, MPLv2 strikes a good balance between permissive and copyleft where copyleft is desired.

CC: @koter84 @MichiShyGuy @dstosberg @srvrco

Upstream DNS server can impose somewhat lengthy update cycles. Gandi for example typically updates the zones every 20min. 100 tries with 10s delay is not enough to reliably hit an update cycle, so being able to wait longer can be attractive.

I cant seem to get DNS validation to work.
Im creating the txt records manually for now, for testing purposes and still.

Could you validate and provide an example config?

Hello,

Sorry for my bad English :-(

First of all, thank you for the great work you do here, I use this very effective script on my server with great pleasure (my every need is covered ;-)) ...

I use an old 5.11 CentOS GNU / Linux (very old, I know, but I'll try to use it until it reaches its OEL in March 2017 ;-)) that provides an old version of Bash (3.2 .25). The last commit (v 1.15 e59f11d) breaks compatibility with this version at line 912 and more ... ( "declare -A ..." but associative array exists only bash 4 as far as I know).

Is it in your goals to maintain compatibility with version 3.2+ bash? I understand that if I am the last guy using your script with this kind of old fabrics, it is not a priority for you ;-)

My bash scripting skill is not strong enough to hack your code without any break, I think...

Thanks again and good day

As an enhancement, would it be possible to add the functionality to copy the AC files to the ACLs via ftp (with user id and password provided in config file like "ftp:UserID:Password:someserver.com:/path/to/acme-challenge"). My sites are hosted on servers where I do not have access to use ssh with a key file. Once the challenges have been met and the certificate issued, I have to get the hosting service admin to place the certificate and key files on the server manually.

Thanks.

TEMP_DIR is defined before DOMAIN_DIR causing call to mktemp to fail.

Hey,
i really like your script and want to use it. But i don't have bash on my servers. I only have sh on it. For the most part this is fine with your script. There is just one line that causes a problem:

$ sh getssl 
getssl: line 407: syntax error: bad substitution

Maybe you could solve that in another way. That way more people could use your script because it would not be limited to bash.

Thanks and greetings
Leo

Hello,
I have tried renewing my Let's Encrypt certificate multiple times now. Unfortunately, the cron job I have been running does not work. Can anyone let me know what I need to update? Do I need to remove all files that were generated with my original certificate? Any help is appreciated!
Renew Let's Encrypt certificate.docx

Hello!

Its possible to support http-01-port protocol to allow non-80 port to be checked?

Thanks!

Hi, and thanks for this tool.

Do you really need to use -E option for sed ? Some older sed releases (ex: 4.1.5, Centos 5.x) does not support it and getssl fails. This option is equivalent to -r and is only here for compatibility with BSD sed.

ref: http://blog.dmitryleskov.com/small-hacks/mysterious-gnu-sed-option-e/

Additionally, some older date version (ex: 5.97) can't handle date past the "year 2038 bug" so force renew (-f) is failing because of the 100000 days check. Don't you think 365 days would be enough ?

I can create a PR with these small "Centos 5" compatibility fixes, if you are OK with this.

Some times I've got error like this

nslookup: couldn't get address for 'ns1.domain.io
ns1.domain.io': not found

this because the command at line 1067 of the script returns two lines with the same DNS

Changing this line with
primary_ns=$(nslookup -type=soa "${d}" -debug=1 ${PUBLIC_DNS_SERVER} | os_grep origin | awk '{print $3}'|sort|uniq)
the problem will fix.

I work on linux, I don't submit a pull request beacuse I can't test the fix on different OSes

If working_dir is to be a temp directory, please consider clearing it out before use (if it exists), or refusing to run if it is not clear.

If it has data in it (say, from an unsuccessful run, or a previous run which contained SANS which no longer exist), getssl can fail.

For lighttpd the pem file have to be a concatenated file of the key file and the crt file (see the official lighttpd manual)

When using a DNS split horizon, the SOA query may not produce the correct result. An option for specifying a separate server to be used would be helpful (e.g. 8.8.8.8).