Let's encrypt provide free and easy SSL certificates. Nevertheless it need to verify that you own the machine. In order to do that we usually use HTTP verification with the .well-known directory.
- A domain name with its DNS hosted by OVH
- curl (sudo apt-get install curl)
- Python 2 or 3 and pip (sudo apt-get install python-pip)
- python-ovh (pip install ovh)
- dehydrated (git clone https://github.com/lukas2511/dehydrated)
- OVH hook (git clone https://github.com/antoiner77/letsencrypt.sh-ovh)
API Key generation
We need API keys in order to use the hook script for the DNS validation. For that, register the application on [OVH API] (https://eu.api.ovh.com/createApp/).
We get two elements from the website: APP_KEY APP_SECRET
We need to put them in our
ovh.conf file in the OVH hook script:
[default] ; general configuration: default endpoint endpoint=ovh-eu [ovh-eu] ; configuration specific to 'ovh-eu' endpoint application_key=APP_KEY application_secret=APP_SECRET ; uncomment following line when writing a script application ; with a single consumer key. ;consumer_key=MA_CLEFS
Now we need to generate the use token in order to validation our keys (you may need to had execution permissions to the script):
We get an other link where we need to authenticate one more time. When it is
done just press the
The script indicate the user token to insert in the
ovh.conf file. Be sure to
uncomment the line by deleting the
; at the beginning of the line.
The configuration file will be needed in the
dehydrated folder, let's just
create a symlink:
ln -s /home/user/letsencrypt.sh-ovh/ovh.conf /home/user/dehydrated/ovh.conf
The hook script configuration is finished, now let's configure the
In the domains.txt file, indicate the certificates that you want to generate. Each line will be a certificate but one certificate can be valid for several domains. For instance, the following configuration will generate two certificates each for two domains.
example.org www.example.org gitlab.example.com wikimedia.example.com
Just launch the dehydrated script (you may need to had execution permission):
./dehydrated -c -t dns-01 -k '/home/user/letsencrypt.sh-ovh/ovhdns.py'
-c(re)generate certificates, will renew them if they expire in less than one month
-t dns-01use the DNS challenge for acme validation
-kuse specific script for hook
The certificates are stored in
Automatically renew certificates
In order to automatically renew certificate:
Create a symlink in order to use the certificate and the necessary key. This
is the only moment where we will need root permissions. For
instance, for the gitlab certificate we need
# ln -s /home/user/dehydrated/certs/git.exemple.fr/fullchain.pem /etc/gitlab/ssl/gitlab.crt # ln -s /home/user/dehydrated/certs/git.exemple.fr/privkey.pem /etc/gitlab/ssl/gitlab.key
Add the following line to the crontab (
0 15 * * * cd /home/user/dehydrated/; ./dehydrated -c -t dns-01 -k '/home/user/letsencrypt.sh-ovh/ovhdns.py'