How we automate acmetool
Acmetool is my preferred client
for Let's Encrypt and the one we've
adopted for our switch to Let's Encrypt at work.
If you know acmetool, talking about automating it sounds like a
contradiction in terms, because the entire design of acmetool is
about automating everything already; you put it in cron (or more
exactly you let it put itself in cron as part of setup with '
quickstart'), and then you forget about it. Perhaps you have to
write a hook script or two or adjust file permissions because a
daemon runs as a different user, but that should be it.
However, there are a few questions that acmetool will ask you initially and there's one situation where it has to ask you a new question during certificate renewal, as was pointed out by a commentator on my earlier entry:
Recently Let's Encrypt switched over to a new version of their user agreement (v1.2). As a result, all certificate renewals for old accounts started failing (because they had only agreed to v1.1), and I had to ssh to all our servers, interactively run
acmetool, and re-confirm the signup process (agreement & email) myself.
Fortunately you can automate this too, and you should. Acmetool
supports a response file, which
contains answers to questions that
acmetool may try to ask you
during either installation or certificate renewal. We automate these
questions by preinstalling a
responses file in
which makes '
acmetool quickstart' work without having to ask us
anything. When Let's Encrypt updated their user agreement, we pushed
out a new version of the
responses file that auto-accepted it and
so returned certificate renewals to working without any manual
(The first renewal attempt after Let's Encrypt's update reported
errors, then we worked out what the problem was, updated the file,
pushed out a new version, and everything was happy. My personal
websites avoided the problem entirely because of the timing; I had
a chance to update my own
responses file before any of their
renewals came up, and when renewal time hit
acmetool was fine.)
responses settings we use are:
"acme-enter-email": "<redacted>@<redacted>" "acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory "acmetool-quickstart-choose-method": webroot "acmetool-quickstart-webroot-path": "/var/www/.well-known/acme-challenge" "acmetool-quickstart-install-cronjob": true # add an additional line to accept any new user agreement "acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
As shown in the example
responses file, you
can set additional parameters like the normal key type, RSA key
size, and so on. We haven't bothered doing this so far, but we may
in the future.
You could vary the email address if you wanted to (for example for different classes of machines). We don't bother, because it's mostly unimportant; in practice, all it gets is the occasional email about one of our generic test machine hostnames that hasn't renewed its certificate because we haven't been using that hostname for anything that needed one.