Scripts and guides to make automated SSL-updating with least possible permissions needed.
Depencies:
https://github.com/diafygi/acme-tiny (At least) Debian has this at repo, use that one for now
https://github.com/zakjan/cert-chain-resolver Pull to script users home
Idea is that ssl-updater.sh per certificate is run as daily cronjob and it will check need for renewing SSL-certificate and update it as neccesary, all while machine permissions is kept to absolute minimum. only ssl-updater needs Lets encrypt account key, only www-data needs certificate key (apart human user when issuing certificate signing request file once), and so on.
Run daily as cron job, can be run manually. Takes one optional parameter, "force", to attempt certificate renewal instantly.
Generates crypt()-compatible SHA-512 (
- Document system group addition, so www-data and script can share needed file permissions
- Explain file structure and permissioning for certificates and related files under /var/www/
- Nginx (minimum) examples
- Document visudo example so that ssl-updater script has power to restart Nginx and only that