getssl <!-- omit in toc -->

Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers.

Table of Contents <!-- omit in toc -->

• Upgrade broken in v2.43
• Features
• Overview
• Quick Start Guide
• Manual Installation
• Getting started
• Detailed guide to getting started with more examples
• Wildcard certificates
• ISPConfig
• Automating updates
• Structure
• Custom template for configuration
• Server-Types
• Revoke a certificate
• Elliptic curve keys
• Preferred Chain
• Include Root certificate in full chain
• Windows Server and IIS Support
• Building getssl as an RPM Package (Redhat/CentOS/SuSe/Oracle/AWS)
• Building getssl as a Debian Package (Debian/Ubuntu)
• Issues / problems / help

Upgrade broken in v2.43

The automatic upgrade in v2.43 is broken as the url is incorrect. If you have this version installed you'll need to manually upgrade using: curl --silent --user-agent getssl/manual https://raw.githubusercontent.com/srvrco/getssl/latest/getssl --output getssl

Features

• Bash - It runs on virtually all unix machines, including BSD, most Linux distributions, macOS.
• Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server.
• Runs as a daily cron - so certificates will be automatically renewed when required.
• Automatic certificate renewals
• Checks certificates are correctly loaded - After installation of a new certificate it will test the port specified ( see Server-Types for options ) that the certificate is actually being used correctly.
• Automatically updates - The script can automatically update itself with bug fixes etc if required.
• Extensively configurable - With a simple configuration file for each certificate it is possible to configure it exactly for your needs, whether a simple single domain or multiple domains across multiple servers on the same certificate.
• Supports http and dns challenges - Full ACME implementation
• Simple and easy to use
• Detailed debug info - Whilst it shouldn't be needed, detailed debug information is available.
• Reload services - After a new certificate is obtained then the relevant services (e.g. apache/nginx/postfix) can be reloaded.
• ACME v1 and V2 - Supports both ACME versions 1 and 2 (note ACMEv1 is deprecated and clients will automatically use v2)

Overview

GetSSL was written in standard bash ( so it can be run on a server, a desktop computer, or even a virtualbox) and add the checks, and certificates to a remote server ( providing you have a ssh with key, sftp or ftp access to the remote server).

getssl ver. 2.36
Obtain SSL certificates from the letsencrypt.org ACME server

Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-X|--experimental tag] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   

Options:
  -a, --all          Check all certificates
  -d, --debug        Output debug information
  -c, --create       Create default config files
  -f, --force        Force renewal of cert (overrides expiry checks)
  -h, --help         Display this help message and exit
  -i, --install      Install certificates and reload service
  -q, --quiet        Quiet mode (only outputs on error, success of new cert, or getssl was upgraded)
  -Q, --mute         Like -q, but also mute notification about successful upgrade
  -r, --revoke   "cert" "key" [CA_server] Revoke a certificate (the cert and key are required)
  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
  -X  --experimental tag Allow upgrade to a specified version of getssl
  -U, --nocheck      Do not check if a more recent version is available
  -v  --version      Display current version of getssl
  -w working_dir "Working directory"
    --preferred-chain "chain" Use an alternate chain for the certificate

Quick Start Guide

You can download precompiled RPM packages and Debian (DEB) packages from the release page for this project, or you can manually build and install the program from the git sources.

If you want to manually install the program from scratch with the git sources rather than use the pre-compiled RPMS and DEB packages, or if your target platform does not support Linux RPM or DEB packages, then please skip to the section Manual Installation for instructions on installing the getssl program manually.

Packages are provided in binary and source versions, and can be downloaded and installed directly or rebuilt. Package types are Red Hat Package Manager (RPM) packages and Debian (DEB) packages for binary installation and Source RPM packages (SRPMS) and Debbuild SDEB packages for source code installation.

RPM and DEB packages for each release include a binary architecture specific package and a source package which can be downloaded and built/rebuilt and which contains the source code.

For example, the release v2.49 contains the following packages in the release section:

RPM Based Packages (RedHat, CentOS, SuSe, Oracle Linux, AWS Linux)

• getssl-2.49-1.src.rpm (source)
• getssl-2.49-1.noarch.rpm (binary)

Debian Based Packages (Debian, Ubuntu)

• getssl_2.49-1_all.deb (binary)

Installing Binary Packages

To install the binary package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

rpm -i getssl-2.49-1.noarch.rpm

To deinstall the RPM binary package:

rpm -e getssl

To install the binary package with the Debian dpkg package manager for Debian and Ubuntu Linux distributions:

dpkg -i getssl_2.49-1_all.deb

To deinstall the Debian dpkg binary package:

dpkg -r getssl

Installing Source Packages

To install the source package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

rpm -i getssl-2.48-1.src.rpm 

(Note: rpm installs the source code files in /root/rpmbuild/ as top directory for RedHat, CentOS, Oracle Linux, and AWS Linux platforms. SuSe platforms install the source code files in /usr/src/packages/)

To install the source package with the Debbuild package tool for Debian or Ubuntu Linux distributions:

debbuild -i getssl-2.49-1.sdeb

(Note: Debbuild installs the source code files in /root/debbuild/ as top directory)

One item of note is that SDEB packages are actually just tar.gz archives renamed with an .sdeb file extension with the files organized into a SPECS and SOURCES directory tree structure. Subsequently, an SDEB can also be extracted and installed with the tar -xvf command or the files listed with the tar -tvf command:

[root@localhost getssl]$ tar -tvf /root/debbuild/SDEBS/getssl-2.49-1.sdeb 
-rw-r--r-- root/root   1772110 2022-10-12 20:42 SOURCES/getssl-2.49.tar.gz
-rw-r--r-- root/root       192 2022-08-02 15:02 SOURCES/getssl.crontab
-rw-r--r-- root/root       126 2022-08-02 15:02 SOURCES/getssl.logrotate
-rw-r--r-- root/root      1537 2022-08-02 15:02 SPECS/getssl.spec
[root@localhost getssl]$ 

For building or rebuilding RPMS or DEB Packages after you have installed the associated source packages on your platform, refer to the following:

• Building getssl as an RPM Package (Redhat/CentOS/SuSe/Oracle/AWS)
• Building getssl as a Debian Package (Debian/Ubuntu)

Manual Installation

Since the script is only one file, you can use the following command for a quick installation of GetSSL only:

curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > getssl ; chmod 700 getssl

This will copy the getssl Bash script to the current location and change the permissions to make it executable for you.

For a more comprehensive installation (e.g. install also helper scripts) use the provided Makefile with each release tarball. Use the install target.

You'll find the latest version in the git repository:

git clone https://github.com/srvrco/getssl.git

For Arch Linux there are packages in the AUR, see here and there.

If you use puppet, there is a GetSSL Puppet module by dthielking

Getting started

Once you have obtained the script (see Installation above), the next step is to use

./getssl -c yourdomain.co