Replacing the buggy official client with a smart and efficient bash script.

Using the official client here for certificate renewal every about 3 months was not a pleasant experience.

The client is 11MB, needs huge amount of ram, depends on python environment and has some other problems as "BETA SOFTWARE".

It did the job with nginx web server but we had problem running it on a linux machine in the cloud with limited resources. So we were in search of alternatives.

letsencrypt.sh

The bash script we are promoting here is free, small (890 lines of code), easy to configure, and does the job with multiple domains like a charm.

You can find it here.

How it works (letsencrypt test environment)

Download the script and change to executable. Create a file domains.txt in the same directory listing all your domains and alternative names for example:

domains.txt example1.org www.example1.org

example2.org www.example2.org Create a file config.sh with the content:

config.sh WELLKNOWN="/var/www/letsencrypt"

CA="https://acme-staging.api.letsencrypt.org/directory" # This is for testing! Create the directory /var/www/letsencrypt and give the relevant permissions for your web server to read.

mkdir -p /var/www/letsencrypt Create the following entry for every virtual host you serve in your web server.

For example: server {

...

server_name .example1.org www.example1.org;

...

location /.well-known/acme-challenge {

alias /var/www/letsencrypt;

}

...

} Reload your web server.

With this configuration your server -during the procedure of renewal- will serve an url like that:

http://example1.org/.well-known/acme-challenge/c3VjaC1jaGFsbGVuZ2UtbXVjaA-aW52YWxpZC13b3c

...in order to verify your domain name.

Now you can run the script:

./letsencrypt.sh -c -f ./config.sh

After a successful run, the script is creating the file "private_key.pem" and a directory named "certs" with subdirectories named by your domain names (for example "example1.org", "example2.org") containing your certificates.

Check that your certificates created successfully but DO NOT USE THEM FOR THE PRODUCTION SERVER.

Production environment

For production run you neet to comment out the CA argument in the config.sh file (the production CA end point is the default):

config.sh

WELLKNOWN="/var/www/letsencrypt"

#CA="https://acme-staging.api.letsencrypt.org/directory"

Delete the private_key.pem file that is genarated by the tests.

Now your can re-run to generate production certificates.

The last thing your need to do is to enter the procedure in a cron job followed by a web server reloading and forget everything about certificate validity period for your secure domains.

(Do not forget to thank lukas2511)

Example run