0

How can I automaticly renew ZeroSSL certificate for nginx? I tried using the ZeroSSL bot but it uses certificates from Lets encrypt instead of ZeroSSL, but I can't use Lets Encrypt certificate, because I need to make it trusted by older versions of Java 8 (and Lets Encrypt is supported from Java 8u101). I tried using acme.sh as @Daniel B sugested, but it gives me an error.

doc. Chocholoušek
  • 123
  • @davidgo, from what I understand, this script is made for apache (and it is doing something with files in /var/www), but I need to renew certificate for nginx, that is working as reverse proxy (and the certificates are also in diferent directory, but this is the easiest thing to fix). And I am not good in python, so I don't think, that I have the skills to edit it. – doc. Chocholoušek Jul 03 '21 at 10:23
  • I've not used ZeroSSL, but it would appear to me it is embarrassingly easy to change the script. Just use a text editor like Notepad++ to modify the paths where you want to put the certificates, alog with the other variables that need to be updated for your usage case. – davidgo Jul 03 '21 at 11:01
  • Likewise (and again, I've not done much with Java), It would seem you can just import the LetsEncrypt certificates to the Java Key store (https://superuser.com/questions/1006250/how-to-add-lets-encrypt-to-the-java-allowed-certificates) or run the site behind a proxy. – davidgo Jul 03 '21 at 11:03
  • ZeroSSL also supports the ACME protocol. Are you sure the “ZeroSSL bot” you used was correctly set up and really retrieved Let’s Encrypt certificates? – Daniel B Jul 03 '21 at 13:22
  • @davidgo I know, that I can edit the path, but as I saied. it also does something with files in /var/www and I use nginx as reverse proxy, so I don't have anything similar to this. I also can't add LetsEncrypt as trusted authority, because I don't have access to the java program, I just know it uses Java 8u51 (so older than Java 8u101 that added LetsEncypt support). – doc. Chocholoušek Jul 03 '21 at 16:36
  • @DanielB, I don't have any idea if I used it correctly, because the github documentation isn't the best documentation, that I saw, but I installed it using the quick method and it behaved exactly as certbot and the certificate didn't work in Java 8u51, but the manualy generated one does. (And the certificate shows, that it is from LetsEncrypt and also the folder containing it was named LetsEncrypt) – doc. Chocholoušek Jul 03 '21 at 16:37

1 Answers1

3

It appears the ZeroSSL bot (which is really just a wrapper for Certbot) has a small bug that prevents the required parameters from taking effect.

ZeroSSL uses the ACME protocol, just like Let’s Encrypt.

There is a pending pull request to fix the bug. You can use the fixed version right now by getting the source of the PR.

Alternatively, I suggest taking a look at acme.sh, a much more compact client that does not use Python. You can find the guide on ZeroSSL with acme.sh here. It boils down to (since you already have a ZeroSSL account):

  1. Get acme.sh

  2. Generate your EAB credentials at: https://app.zerossl.com/developer

  3. Log in:

    acme.sh --register-account --server zerossl --eab-kid xxxxxxxxxxxx --eab-hmac-key xxxxxxxxx

  4. Get certificates:

    acme.sh --issue -d example.com --nginx /etc/nginx/nginx.conf

    or

    acme.sh --issue -d example.com --nginx /etc/nginx/conf.d/example.com.conf

acme.sh is already set up to renew your certificates using a cron job.

Daniel B
  • 62,883
  • I was experimenting with it, but it always times out. The command that I use is acme.sh --issue -d domain --keypath path/to/the/key --fullchainpath path/to/the/certificate --nginx /etc/nginx/nginx.conf. The server is reacheable only via ipv4 btw, but in the DNS, I have only an A record, so it should be ok. – doc. Chocholoušek Jul 03 '21 at 22:07
  • What, exactly, times out? Please update your question with the any error messages you might be seeing. – Daniel B Jul 04 '21 at 08:42
  • I edited it, but it was too long, so I needed to use hastebin and paste here the link. – doc. Chocholoušek Jul 04 '21 at 18:05
  • This log is unfortunately not useful, it only confirms that the acme.sh modifications to your nginx config are probably not working. You can always set stuff up manually and then use the webroot mode. – Daniel B Jul 05 '21 at 11:49
  • As I already said, I can't use the webroot mode, because I am using nginx as reverse proxy, not normal php web server. – doc. Chocholoušek Jul 05 '21 at 12:00
  • So? You just need to tell nginx not to proxy /.well-known/acme-challenge and instead serve some folder there. This is what acme.sh is trying to automate here anyway. – Daniel B Jul 05 '21 at 12:11
  • Oh, the config file was already changed by certbot and that caused the timeout of acme.sh – doc. Chocholoušek Jul 05 '21 at 23:38