{"id":224,"date":"2016-05-28T14:29:04","date_gmt":"2016-05-28T14:29:04","guid":{"rendered":"http:\/\/www.nerdlingen.de\/?p=224"},"modified":"2018-10-12T09:45:23","modified_gmt":"2018-10-12T08:45:23","slug":"lets-encrypt-plesk","status":"publish","type":"post","link":"https:\/\/www.nerdlingen.de\/?p=224","title":{"rendered":"Let’s Encrypt + Plesk"},"content":{"rendered":"

Let’s encrypt<\/a> issues SSL-Certificates for free – meanwhile most Systems trust their CA. Let’s Encrypt features a CLI to request, update and install certificates – which work’s nicely as long as your server’s setup is compatible. A Plesk based setup, however, is not.<\/p>\n

Luckily, Plesk features it’s own CLI<\/a> – so let’s make a short script to renew and update certificates. Here’s the script, I’ll explain later. It requires Let’s Encrypt’s “certbot” to be installed in $HOME.<\/p>\n

#!\/bin\/sh\r\n\r\nIP="your.ip.v4.address"\r\nIP6="your:ip:v6:address"\r\n\r\n#Domains, format: domain.tld sub1.domain.tld sub2.domain.tld"\r\nDomains=("domain.tld sub1.domain.tld sub2.domain.tld" "domain2.tld2")\r\n#"Main" domain - the name of the certificate that will be associated to the IPs above...\r\nMainDomain="domain.tld"\r\n\r\necho "Certificates will be renewed and installed in Plesk:"\r\nfor dom in "${Domains[@]}"; do\r\n  echo " $dom"\r\ndone\r\nif [ -n "$1" ]; then\r\n  echo "Renew will be issued for all, however only domain $1 will be updated in Plesk!"\r\nfi\r\necho;\r\necho " IPv4: $IP"\r\necho " IPv6: $IP6"\r\n\r\n#"MonthName" should be something that is unique between subsequent calles of the script\r\n# date +%B should give the name of the current month, for more frequent calls use e.g.\r\n# date +%Y-%M-%d_%H-%m-%S\r\nMonthName="$(date +%Y-%m-%d_%H-%M-%S)"\r\necho " Unique part for each certificate's name: $MonthName"\r\n\r\necho;\r\n\r\nread -p "This might brake your setup. Type YES to continue: " Keypress\r\n\r\nif [ "$Keypress" != "YES" ]; then\r\n  echo "I asked for \\"YES\\", you gave me \\"$Keypress\\". Exiting..." \r\n  exit 1\r\nfi\r\n\r\necho;\r\n\r\nread -p "Call letsencrypt-auto ? [y\/N] " Keypress\r\n\r\nif [ "$Keypress" = "y" ]; then\r\n  ~\/certbot\/letsencrypt-auto renew\r\n  echo;\r\n  echo "Done."\r\nfi\r\necho;\r\n\r\nfunction installcert {\r\n  Certname="LetsEncrypt-Auto_($MonthName)_$1"\r\n  echo;\r\n  echo "Installing certifikate \\"$Certname\\" to domain repository..."\r\n  key_file="\/etc\/letsencrypt\/live\/$1\/privkey.pem"\r\n  cert_file="\/etc\/letsencrypt\/live\/$1\/cert.pem"\r\n  cacert_file="\/etc\/letsencrypt\/live\/$1\/fullchain.pem"\r\n  \/opt\/psa\/bin\/certificate -c $Certname -domain $1 -key-file $key_file -cert-file $cert_file -cacert-file $cacert_file\r\n}\r\n\r\nfunction installcert_admin {\r\n        Certname="LetsEncrypt-Auto_($MonthName)_admin_$1"\r\n        echo;\r\n        echo "Installing certifikate \\"$Certname\\" to admin's repository..."\r\n        key_file="\/etc\/letsencrypt\/live\/$1\/privkey.pem"\r\n        cert_file="\/etc\/letsencrypt\/live\/$1\/cert.pem"\r\n        cacert_file="\/etc\/letsencrypt\/live\/$1\/fullchain.pem"\r\n        \/opt\/psa\/bin\/certificate -c $Certname -admin -key-file $key_file -cert-file $cert_file -cacert-file $cacert_file\r\n}\r\n\r\n\r\nfunction assigncert {\r\n  Certname="LetsEncrypt-Auto_($MonthName)_$1"\r\n  \/opt\/psa\/bin\/subscription -u $2 -certificate-name $Certname\r\n}\r\n\r\nread -p "Install certificates in Plesk? [y\/N] " Keypress\r\n\r\nif [ "$Keypress" = "y" ]; then\r\n  for domain in "${Domains[@]}"; do\r\n    #Split into another array\r\n    subs=($domain)\r\n    main="${subs[0]}"\r\n    echo "Working on domain $main..."\r\n    #Domain $domain will only been updated if either no arguments are given, or the one and only argument matches $domain\r\n    if ( [ "$1" == "$main" ] ) || ( [ -z "$1" ] ); then\r\n      installcert "$main"\r\n      #Then assign all certificates\r\n      for sub in "${subs[@]}"; do\r\n        assigncert "$main" "$sub"\r\n      done\r\n    else\r\n      echo "==&gt; Skipped."\r\n    fi\r\n  done\r\n\r\n  echo;\r\n  echo "Done."\r\n  echo;\r\nfi\r\n\r\nread -p "Install &amp; Assign SSL-Certificate of $MainDomain for IPs (Admin's repository)? [y\/N] " Keypress\r\n\r\nif [ "$Keypress" = "y" ]; then\r\n  installcert_admin "$MainDomain"\r\n  \/opt\/psa\/bin\/certificate -ac "LetsEncrypt-Auto_($MonthName)_admin_$MainDomain" -admin -ip $IP\r\n  \/opt\/psa\/bin\/certificate -ac "LetsEncrypt-Auto_($MonthName)_admin_$MainDomain" -admin -ip $IP6 \r\nfi\r\n\r\nfunction mailcert {\r\n  Uhr="$(date +%Y-%m-%d_%H-%M-%S)"\r\n  key_file="\/etc\/letsencrypt\/live\/$1\/privkey.pem"\r\n        cert_file="\/etc\/letsencrypt\/live\/$1\/cert.pem"\r\n        cacert_file="\/etc\/letsencrypt\/live\/$1\/fullchain.pem"\r\n        tar -chjf Cert-Backup-$Uhr.tar.bz2 \/etc\/postfix\/postfix_default.pem \/usr\/share\/imapd.pem \/usr\/share\/pop3d.pem\r\n        #Concat certificate for eMail...\r\n  cat $key_file &gt;\/tmp\/newcert.pem\r\n  cat $cert_file &gt;&gt;\/tmp\/newcert.pem\r\n  cat $cacert_file &gt;&gt;\/tmp\/newcert.pem\r\n  cp \/tmp\/newcert.pem \/etc\/postfix\/postfix_default.pem\r\n  cp \/tmp\/newcert.pem \/usr\/share\/imapd.pem\r\n  cp \/tmp\/newcert.pem \/usr\/share\/pop3d.pem\r\n  chmod 400 \/usr\/share\/imapd.pem\r\n  chmod 400 \/usr\/share\/pop3d.pem\r\n  chmod 600 \/etc\/postfix\/postfix_default.pem\r\n  rm \/tmp\/newcert.pem\r\n  \/usr\/local\/psa\/admin\/sbin\/mailmng --restart-service\r\n}\r\n\r\nread -p "Install certificate of $MainDomain to Postfix\/IMAP\/POP ? [y\/N] "\r\n\r\nif [ "$Keypress" = "y" ]; then\r\n  mailcert "$MainDomain"\r\nfi<\/pre>\n
The script has a short configuration section at the top, most notably the domains you want to work on. They are give in a string array, containing the domain name given first when registering a certificate with LetsEncrypt as the first token, and all sub domains you want to secure with the same certificate separated with spaces. More precisely: Let’s encrypt stores your certificates into \/etc\/letsencrypt\/live\/<domain>, the first token is used to generate this path. I recommend using your domain without any subdomain for this purpose, i.e. “domain.tld sub.domain.tld sub2.domain.tld”. To achieve this, when calling lestencrypt-auto, give this domain as the first one, i.e.<\/p>\n
.\/letsencrypt-auto certonly --webroot -w \/var\/www\/httpdocs -d domain.tld -d sub.domain.tld<\/code><\/p>\n
This, of course, requires your domains to be set up in Plesk the same way, i.e. in Plesk, domains with the names “domain.tld”, “sub.domain.tld” and “sub2.domain.tld” must exist. The Plesk-CLI commands used to register and setup are:<\/p>\n