Existing setups & tweaks

Under construction

This section is under construction.

1. Multi-domain configuration example

.domtool/lib.dtl

val acmeChallengeAlias = begin
    location "/.well-known/acme-challenge" with unset_options [indexes]; end;
    alias "/.well-known/acme-challenge" "/afs/hcoop.net/user/b/bk/bkhl/www/acme/.well-known/acme-challenge";
end;

.domtool/elektrubadur.se:

val elektrubadurCertificate = use_cert "/etc/apache2/ssl/user/elektrubadur.se.pem";

val elektrubadurRewrite = rewriteRule "^(.*)$" "https://elektrubadur.se$1" [redirectWith permanent];

val elektrubadurSubdomainAlias = \name -> begin
    web name with elektrubadurRewrite; end;
    web name where SSL = elektrubadurCertificate; with elektrubadurRewrite; end;
end;

dom "elektrubadur.se" where
    DocumentRoot = home "www/elektrubadur.se";
    CreateWWW = false;
with
    addDefaultSPF;

    vhostDefault where
        SSL = elektrubadurCertificate;
    with
        errorDocument "404" "/404.html";

        expiresByType "text/plain" access 1 days;
        expiresByType "text/css" access 1 days;

        expiresByType "image/jpeg" access 1 weeks;
        expiresByType "image/png" access 1 weeks;
        expiresByType "image/gif" access 1 weeks;
        expiresByType "image/svg" access 1 weeks;
        expiresByType "image/vnd.microsoft.icon" access 1 weeks;

        acmeChallengeAlias;
    end;

    vhostDefault with elektrubadurRewrite; end;

    elektrubadurSubdomainAlias "www";
    elektrubadurSubdomainAlias "bkhl";

    web "test" where
        DocumentRoot = home "www/test.elektrubadur.se";
        SSL = elektrubadurCertificate;
    with
        acmeChallengeAlias;
    end;

    web "test" with
        rewriteRule "^(.*)$" "https://test.elektrubadur.se$1" [redirectWith permanent];
    end;

    web "cloud" where
        DocumentRoot = home "www/cloud.elektrubadur.se";
        SSL = elektrubadurCertificate;
    with
        location "/" with
            unset_options [indexes, multiViews];
            directoryIndex ["index.php", "index.html"];
        end;

        expiresByType "text/css" access 1 weeks;
        expiresByType "application/javascript" access 1 weeks;
        expiresByType "image/svg" access 1 weeks;
        expiresByType "image/gif" access 1 weeks;
        expiresByType "application/font-woff2" access 1 weeks;

        setEnvIfNoCase "^Authorization$" "(.+)" ["XAUTHORIZATION=$1"];

        rewriteCond "%{HTTP_USER_AGENT}" "DavClnt" [];
        rewriteRule "^$" "/remote.php/webdav/" [redirectWith temp, last];

        rewriteRule ".*" "-" [env "HTTP_AUTHORIZATION" "%{HTTP:Authorization}"];
        rewriteRule "^\.well-known/host-meta" "/public.php?service=host-meta" [qsappend, last];
        rewriteRule "^\.well-known/host-meta\.json" "/public.php?service=host-meta-json" [qsappend, last];
        rewriteRule "^\.well-known/webfinger" "/public.php?service=webfinger" [qsappend, last];
        rewriteRule "^\.well-known/carddav" "/remote.php/dav/" [redirectWith permanent, last];
        rewriteRule "^\.well-known/caldav" "/remote.php/dav/" [redirectWith permanent, last];
        rewriteRule "^remote/(.*)" "remote.php" [qsappend, last];
        rewriteRule "^(?:build|tests|config|lib|3rdparty|templates)/.*" "-" [redirectWith notfound, last];
        rewriteCond "%{REQUEST_URI}" "!^/\.well-known/(acme-challenge|pki-validation)/.*" [];
        rewriteRule "^(?:\.|autotest|occ|issue|indie|db_|console).*" "-" [redirectWith notfound, last];

        acmeChallengeAlias;
    end;

    web "cloud" with
        rewriteRule "^(.*)$" "https://cloud.elektrubadur.se$1" [redirectWith permanent];
    end;

    emailAlias "admin" "bkhl";
    emailAlias "info" "bkhl";
end;

command:

~/.acme.sh/acme.sh --issue -d elektrubadur.se -d www.elektrubadur.se -d bkhl.elektrubadur.se -d cloud.elektrubadur.se -d test.elektrubadur.se -w $HOME/www/acme/

And later on just ~/.acme.sh/acme.sh --renew-all

2. Mostly-automated renewals

You can edit example.com in the command below to be your domain paths and put the following into your ~/.bashrc. Then you just need to run letsencrypt_renew and open the link to submit the request.

. "$HOME/.acme.sh/acme.sh.env"

letsencrypt_renew() {
    local domain="example.com"
    local cert_dir="$HOME/certificates/$domain"
    local keyfile="$cert_dir/$(date --iso-8601)-$domain.pem"

    acme.sh --renew-all "$@" && cat "$cert_dir/$domain".{cer,key} "$cert_dir"/ca.cer > "$keyfile"

    if test -f "$keyfile"
    then
        >&2 printf 'Open this link to submit:\n'
        >&2 printf \
            'https://members.hcoop.net/portal/cert?cmd=request&cert=%s&domain=%s&subdomain=&msg=routine+renewal\n' \
            "$keyfile" "$domain"
    else
        >&2 printf 'Error renewing cert, see above for more info (hopefully)\n'
    fi
}