Parliament Hill Computers Ltd
Parliament Hill Computers Ltd
There are four scripts. These are written to be simple, which means that they are easy to audit
CreateSigningRequests from a family.cnf file generates a family.csr fileCheckSiteAccess examines a family.csr and checks that Apache is correctly configured so that Let's Encrypt will sign the certificateGetSignedCertificate requests Let's Encrypt to sign a family.csr returning a family.cstRenewCertificates keeps expiring certificates from expiring — run from cronThere is also InitialSetup, only run once (by root) to set up directory structure, create users.
Two users are created:
rsa. This user runs CreateSigningRequests & CheckSiteAccessacme. This user talks to Let's Encrypt runs GetSignedCertificate & RenewCertificates.
These scripts run acme_tiny.pyThe HOME directory for both of these users is /var/www/acme/
The user names & base directory can easily be changed.
/var/www/acme/Note also directory permissions. Some files are very sensitive and must be kept secure to keep the web server secure.
/acme-challenge/ This is where acme_tiny.py puts the challenge files that
Let's Encrypt asks it to. This has to be writable by acme and files in it
readable by Apache to provide the response that Let's Encrypt needs.
This will be mapped in each vhost in the family by an Apache configuration line like:
Alias /.well-known/acme-challenge/ "/var/www/acme/acme-challenge/"
This also contains an index.html that is used by CheckSiteAccess
SSLConfigs/ This is where you will create family configuration files. EXAMPLE.cnf can be used as a starting pointCertificateSigningRequests/ CSRs written here by script CreateSigningRequests using a family configuration file in SSLConfigs/RSAprivateKeys/ private keys written here by script CreateSigningRequests. These are precious and
must be kept secret. Apache needs to read them. Ensure that these are not readable by any user than rsa and the group of
the Apache process.SignedCertificates/ signed certificates written here by script GetSignedCertificate using CSRs in CertificateSigningRequests/LetsEncryptAccounts/ created by script GetSignedCertificateRenewals.list a list of certificate family names used by RenewCertificatesTemplates templates that expand to the files:
Renewal.crontab a crontab for the user acme that you should considerhttpd.conf.challenge to be put into vhost configuration during the first stage edittmp temporary file space needed by GetSignedCertificate & RenewCertificatesbin where all the scripts liveACMEUSER the username acme or your local choiceRSAUSER the username rsa or your local choiceDIST the contents of the unpacked tar file LetsEncryptManage-version.release-0.0.tar.gz.rnd where the OpenSSL program to store entropy (randomness)Next page: Install of phcl_acme
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.