certbot-cwebroot
Certbot plugin for clustered web servers
Installation
- Install certbot
-
Switch to the certbot virtualenv :
. ~/.local/share/letsencrypt/bin/activate
-
Install
certbot-cwebroot
:pip install certbot-cwebroot
Usage
This requires that you set up your webservers (all the servers that may be queried by the ACME server for the challenge, that is) for the webroot method, as described here.
- Get yourself an SSH key pair and deploy it on your remote hosts under the
same identity you will be using to run
certbot
. -
To use the local host as well as remote hosts
host2
andhost3
, runcertbot
like this :```/path/to/certbot certonly --authenticator certbot-cwebroot:cwebroot -d www.example.com --certbot-cwebroot:cwebroot-path /var/www/html/letsencrypt/ --certbot-cwebroot:cwebroot-host host2 --certbot-cwebroot:cwebroot-host host3
If you don't want the challenges to be hosted locally, you can use
--certbot-cwebroot:cwebroot-nolocal
. The certificate should be deployed in the usual directory (
/etc/letsencrypt
probably) on your localhost. As this follows the use cases for the webroot plugin (make no assumption on where the certificates should go), it is your job to deploy the obtained certificate to your target webservers.
How it works
The SSH connection are made with spur,
which is a very convenient wrapper around Paramiko.
Spur aims to run commands locally and remotely with the same interface, so
every file system operation that whas done in the webroot
plugin with python
functions is now run with shell commands an binaries, namely :
chown
mkdir
rm
rmdir
sh
stat
I have tested this on an Ubuntu 14.04, and nowhere else.