Let's Encrypt used for..

Question

I'm currently using LE for WebAdmin and UserPortal. Just curious if anyone else is using LE for anything else besides WebAdmin and User Portal? What other configurations can we use Let's Encrypt? 
 
 Thanks

scorpionking · Accepted Answer

Yeah, but that's a quick and dirty one suitable for my home lab. Use at your own risk! Source (German): www.matthiaskind.de/.../41-let-s-encrypt-zertifkat-einer-sophos-utm-automatisiert-weiterverarbeiten-bash-script.html #!/bin/bash # Fetch Let'sEncrypt cert from UTM and check if different to local. # If yes, overwrite and reload affected services # Needs curl, jq and mailutils installed log = "/usr/bin/logger -i -p local0.info -t getcert_utm.sh" log_dbg = "/usr/bin/logger -i -p local0.debug -t getcert_utm.sh" log_err = "/usr/bin/logger -i -p local0.warning -t getcert_utm.sh" #debug=true $log "Starting getcert_utm.sh" utmapiurl = "https://:4444/api/objects/ca/host_key_cert/" utmapikey = "" # do not use whitespaces or special characters in paths! curloutfile = "/tmp/utm-le-cert_all" tmpkeyfile = "/tmp/utm-le-cert.key" tmpcertfile = "/tmp/utm-le-cert.pem" # must match the path and certificate name in your apache, dovecot, etc. config dstkeyfile = "/etc/ssl/private/mydomain.de_SAN_LE.key" dstcertfile = "/etc/ssl/mydomain.de_SAN_LE.pem" # false (if can be used separately) or path to intermediate intermediateca = "/etc/ssl/lets-encrypt-x3-cross-signed.pem" tmpmailtext = "/tmp/mailtext.txt" mailsubject = "LE-Cert-Fetcher on " $( hostname ) ": " mailto = "" mailresult = "Nothing changed" restartservices = false # services to restart after certificate change services = "dovecot.service postfix.service nginx.service" errtext = "" errdetected = false certsubject = $(/usr/bin/openssl x509 -text -noout -in $dstcertfile | grep -oP ' ( ? <= Subject: ) [ ^, ] + ') certvalidity= $(/usr/bin/openssl x509 -text -noout -in $dstcertfile | grep -oP ' ( ? <= Not After : ) [^,]+' ) echo -e "Hello! " > $tmpmailtext echo -e "This is to inform you about recent changes in our Let's Encrypt certificate with $certsubject : Valid until: $certvalidity " >> $tmpmailtext $log "Downloading cert from UTM API." curl -k -X GET --header "Accept: application/json" --header "Authorization: Basic ${utmapikey} " " ${utmapiurl} " -o " $curloutfile " > /tmp/getcert_utm_curl 2 > & 1 if [ $? -eq 0 ] ; then $log "Extracting key and certificate from output." jq -r '.key' $curloutfile > $tmpkeyfile res1 = $? jq -r '.certificate' $curloutfile > $tmpcertfile res2 = $? if [ $res1 -eq 0 ] && [ $res2 -eq 0 ] ; then $log "Comparing new and old files." diff $tmpkeyfile $dstkeyfile if [ $? -eq 0 ] ; then $log "Key has not changed." echo "Key has not changed." >> $tmpmailtext else $log "Key has changed. Copying new key." cp $tmpkeyfile $dstkeyfile if [ $? -eq 0 ] ; then restartservices = true mailresult = "Key changed" echo "Key has been exchanged by a newer version." >> $tmpmailtext else errdetected = true errtext = $errtext "Error copying key to destination. " mailresult = "Error" echo "ERROR copying key to destination" >> $tmpmailtext fi fi if [ $intermediateca != false ] ; then $log "Appending intermediate ca to certificate." cat $intermediateca >> $tmpcertfile fi diff $tmpcertfile $dstcertfile if [ $? -eq 0 ] ; then $log "Certificate has not changed." echo "Certificate has not changed." >> $tmpmailtext else $log "Certificate has changed. Copying new key." cp $tmpcertfile $dstcertfile if [ $? -eq 0 ] ; then restartservices = true mailresult = "Certificate changed" echo "Certificate has been exchanged by a newer version." >> $tmpmailtext else errdetected = true errtext = $errtext "Error copying certificate to destination. " mailresult = "Error" echo "ERROR copying certificate to destination" >> $tmpmailtext fi fi if [ " $errdetected " = true ] ; then mailresult = "Error" $log_err "Failure in setting certs: $errtext " fi else mailresult = "Error extracting cert" echo "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section." >> $tmpmailtext $log_err "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section." fi else mailresult = "Error getting cert" echo "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings." >> $tmpmailtext $log_err "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings." fi certdetails = $(/usr/bin/openssl x509 -text -noout -in $dstcertfile) echo -e " Best regards, root ---------- Certificate details: $certdetails " >> $tmpmailtext mail -s " ${mailsubject} ${mailresult} " $mailto < " ${tmpmailtext} " rm " ${curloutfile} " " ${tmpkeyfile} " " ${tmpcertfile} " " ${tmpmailtext} " if [ " $restartservices " = true ] ; then $log "Reloading \" $services \" as some data has changed" systemctl reload $services fi $log "Finished." #Finished