Sunday, December 4, 2016

Here come the Bash clients for Let's Encrypt -, Dehydrated and creating SSL Certificates

I was recently working on a server with a pretty old OS. In the past I've configured SSL using EFF's Certbot, a Python based client for managing Let's Encrypt's certificates, but Certbot requires Python 2.7 or better and the server only shipped with Python 2.4. I initially started on the journey of "jumping through hoops" getting Python 2.7 installed on the old system but then I discovered bash based clients for Let's Encrypt. So here are some short notes for my future self which might save some time.

In terms of shell scripts that re-implement the Certbot client there are two shell scripts that I currently know of, one called dehydrated and the other, which I discovered a day or two later, is called  I ended up using, I found the implementation to be a bit simpler than the dehydrated implementation. If you're interested in using dehydrated, there's reasonable documentation on how to install and use it at promotes itself as follows:

  • An ACME protocol client written purely in Shell (Unix shell) language.
  • Full ACME protocol implementation.
  • Simple, powerful and very easy to use. You only need 3 minutes to learn it.
  • Bash, dash and sh compatible.
  • Simplest shell script for Let's Encrypt free certificate client.
  • Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
  • Just one script to issue, renew and install your certificates automatically.
  • DOES NOT require root/sudoer access.
It basically installs itself in the home folder of the active user and also adds itself to the PATH.
Installation is as easy as:

curl | sh
wget -O - | sh

After that you can create an SSL certificate for the domain with the following command: --issue -w /home/mysite/public_html/ -d -d
Unfortunately, while the certificate was created without a problem, the server was so old that the version of OpenSSL didn't support multiple domains on the same IP address according to this article I needed at least OpenSSL v0.9.8j. 

Truth be told the best course of action will be to upgrade the server since it is otherwise vulnerable. The knowledge won't be lost as I can use it on other projects on newer servers.

No comments:

Sign up for my upcoming Plone 5 Book & Video tutorials

plone 5 for newbies book and videos