make-cert is an opinionated certficate deployment system wrapping
dehydrated is a high quality
Let's Encrypt client, making sure
deployed correctly each time became a hassle for me. I made this so that most
choices are already made and each deployment can have the barest minimum
- Clone the repo
config.localto set your email address and change to the production API URL when ready.
- Add domains to
domains.txt. See the
dehydrateddocumentation for details.
$ cat config.local CA="$prod_ca" CONTACT_EMAILemail@example.com $ cat domains.txt www.example.com example.com $ make cert ...
It's best to create a cron job for certificate renewal. Because (nearly)
everything is packaged into the
Makefile this is much simplified.
This example job will run at 12:15 AM on Tuesdays.
15 0 * * 2 make -C /path/to/make-cert >> /var/log/make-cert.log 2>&1
config file sources
Joyent. The error handler provides stack traces to identify
where/why cert generation failed. This is always enabled. The trace logger
xtrace for additional observability. This is optional and
can be enabled by setting the
TRACE environment variable to any value other
make cert TRACE=on
Being opinionated certificate deployment, there are a number of assumptions made.
- Node.js and npm are installed and in the default
- Certificate challenges will be handled by HTTP, not DNS.
- A web root of
/opt/www/letsencryptis used for the location of
.well-known. This will be created if it does not exist. There are example web server virtualhost configuration files for Apache and Nginx that are preconfigured for this location.
- If there is nothing listening on port 80, a node.js http-server will be spawned to process acme challenge requests.
- Certifcates are output to
/opt/ssl/certs. Your application(s) should refer to those files for the SSL certificates.
- ECDSA keys will be generated using the prime256v1 curve.
If you don't like any of these assumptions, override them in
fork and do as you please. The point of
make-cert is not to be flexible!
It is to have a strictly formatted framework that applications can depend on.
If you think additional assumptions might be helpful, open a pull request!
illumos and FreeBSD are directly supported. Adding support for additional
platforms is a matter of properly detecting something listening on port 80 in
Application restart support is limited to Apache and Nginx on SmartOS (see issues).
The following files are licensed under the MPL-2.0 license. See
All other files are licensed under the MIT license. See
LICENSE for details.