There are four scripts. These are written to be simple, which means that they are easy to audit
family.cnffile generates a
family.csrand checks that Apache is correctly configured so that Let's Encrypt will sign the certificate
GetSignedCertificaterequests Let's Encrypt to sign a
RenewCertificateskeeps expiring certificates from expiring — run from cron
There is also
InitialSetup, only run once (by root) to set up directory structure, create users.
Two users are created:
rsa. This user runs
acme. This user talks to Let's Encrypt runs
RenewCertificates. These scripts run
HOME directory for both of these users is
The user names & base directory can easily be changed.
Note also directory permissions. Some files are very sensitive and must be kept secure to keep the web server secure.
/acme-challenge/This is where
acme_tiny.pyputs the challenge files that Let's Encrypt asks it to. This has to be writable by
acmeand files in it readable by Apache to provide the response that Let's Encrypt needs. This will be mapped in each vhost in the family by an Apache configuration line like:
Alias /.well-known/acme-challenge/ "/var/www/acme/acme-challenge/"This also contains an
index.htmlthat is used by
SSLConfigs/This is where you will create family configuration files.
EXAMPLE.cnfcan be used as a starting point
CertificateSigningRequests/CSRs written here by script
CreateSigningRequestsusing a family configuration file in
RSAprivateKeys/private keys written here by script
CreateSigningRequests. These are precious and must be kept secret. Apache needs to read them. Ensure that these are not readable by any user than
rsaand the group of the Apache process.
SignedCertificates/signed certificates written here by script
GetSignedCertificateusing CSRs in
LetsEncryptAccounts/created by script
Renewals.lista list of certificate family names used by
Templatestemplates that expand to the files:
Renewal.crontaba crontab for the user
acmethat you should consider
httpd.conf.challengeto be put into vhost configuration during the first stage edit
tmptemporary file space needed by
binwhere all the scripts live
acmeor your local choice
rsaor your local choice
DISTthe contents of the unpacked tar file
OpenSSLprogram to store entropy (randomness)
Next page: Install of