This project provides a ready-to-go script for periodic renewal of TLS certificates using the BSD’s acme-client.
-
POSIX-sh compatible shell (e.g. Busybox ash, dash, ZSH, bash, …); script
acme-renew-certsneeds a shell with support forset -e pipefail -
common userland with
awk,find,sed(e.g. from Busybox, GNU coreutils, …) -
opensslcommand (if you want to generate RSA keys with different size than 4096 bits)
git clone https://github.com/jirutka/acme-client-plus.git
cd jirutka/acme-client-plus
make installacme-client-plus.conf:
# Size of RSA keys for domains (in bits).
rsa_key_size="3072"
# Additional options to pass into acme-client.
# -O - Request OCSP stapling for the given domains.
acme_client_opts="-O"
# This function is executed after any certificate(s) have been renewed;
# use it to reload affected services.
# $@: domain names
after_renew() {
# Note: This example is for the OpenRC init system.
/etc/init.d/nginx --ifstarted --quiet reload
}Issue a certificate for domain foo.example.org with alternative name bar.example.org:
acme-client-plus issue foo.example.org bar.example.orgRenew all certificates that are close to their expiration:
acme-client-plus renewRenew certificate for domain foo.example.org even if it’s too soon:
acme-client-plus renew -F foo.example.orgDefault directory structure:
/
|-- etc
| |-- logrotate.d
| | `-- acme-client-plus (750)
| |-- periodic/weekly
| | `-- acme-renew-certs (750)
| |-- ssl/acme (755) [certs_dir, keys_dir]
| | |-- <domain> (755)
| | | |-- cert.pem (444)
| | | |-- chain.pem (444)
| | | |-- fullchain.pem (444)
| | | `-- privkey.pem (400)
| | :-- ...
| | `-- account-key.pem (400) [account_key]
| `-- acme-client-plus.conf (644)
|-- usr/bin
| `-- acme-client-plus (750)
`-- var
|-- log
| `-- acme-renew.log (644)
`-- www/acme (755) [challenge_dir]
:-- ...
`-- xyz (444)
This project is licensed under ISC License. For the full text of the license, see the LICENSE file.