Skip to content
Let's Encrypt encourages the use of certbot to automate certificate renewal, but that tool generates a new CSR every time. That makes DANE with TLSA difficult, so this set of scripts automates the renewal of consistent CSRs with certbot so systems administrators can choose when to generate a new CSR and update their DNS records in anticipation.
Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
letsencrypt-autorun
letsencrypt-generate
letsencrypt-hash
letsencrypt-install
letsencrypt-renew
letsencrypt-request
letsencrypt-tlsa

README.md

lets-encrypt-tlsa

Read the article about this script on the Flipping Binary website.

Installation

Modify these steps and the scripts as necessary for your distribution. The steps have been tested only on Ubuntu 16.04 servers.

  1. Change ownership and permissions of the script files
  $ sudo chown root:root letsencrypt-*
  $ sudo chmod +x letsencrypt-*
  1. Change the settings in letsencrypt-tlsa file, especially the EMAIL setting!
  $ sudo nano letsencrypt-tlsa
  1. Move the letsencrypt-tlsa file to /etc/default so it is accessible by the other scripts and easy to edit.
  $ sudo mv letsencrypt-tlsa /etc/default
  1. Move letsencrypt-autorun to /etc/cron.weekly
  $ sudo mv letsencrypt-autorun /etc/cron.weekly
  1. Move the rest to /usr/local/sbin
  $ sudo mv letsencrypt-* /usr/local/bin

Usage

  1. Generate a key pair and Certificate Signing Request (CSR). This script does not limit the number of domain names, but attempting to generate one certificate for dozens of domains at a time might fail. The first listed domain is primary and needs to be listed first for each command in this set of tools. Using example.com and www.example.com as an example:
  $ sudo letsencrypt-generate example.com www.example.com
  1. Request a signature from Let's Encrypt. Using example.com and www.example.com as an example both of these commands do the same thing (note the primary domain is listed first and is the only one that matters):
  $ sudo letsencrypt-request example.com
  $ sudo letsencrypt-request example.com www.example.com
  1. Check the hash of the signed certificate. You can list secondary domains along with the primary domain, but the hash will be the same for each. The important part includes and follows the 3 1 1 which makes up your TLSA record. Using example.com and www.example.com as an example:
  $ sudo letsencrypt-hash example.com www.example.com
  1. Publish the TLSA records with your DNS provider.

  2. Install the new certificates. This command will create a symlink in a consistent location (defaulting to /etc/ssl/letsencrypt/live/<domainname>) to the latest signed certificate for the primary domain. Using example.com and www.example.com as an example, both of these commands do the same thing (note the primary domain is listed first and is the only one that matters):

  $ sudo letsencrypt-install example.com
  $ sudo letsencrypt-install example.com www.example.com
You can’t perform that action at this time.