Wildcard Certificates with acme.sh: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(add cron and icecast stuff) |
||
| (6 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
<code>acme.sh</code> is a lightweight shell script based tool to handle Let's Encrypt certificates, etc. | |||
== Install the bash script == | |||
wget https://get.acme.sh | wget https://get.acme.sh | ||
| Line 14: | Line 10: | ||
This will install the script to <code>/root/.acme</code> and add it to path by sourcing a script from root's <code>.bashrc</code> | This will install the script to <code>/root/.acme</code> and add it to path by sourcing a script from root's <code>.bashrc</code> | ||
== Request a wildcard cert for lurk.org == | |||
We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of <code>acme.sh</code>. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's <code>.bashrc</code>: | |||
export PORKBUN_API_KEY="..." | |||
export PORKBUN_SECRET_API_KEY="..." | |||
When ready and reloaded: | |||
acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org | |||
result: | |||
* cert is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.cer</code> | |||
* cert key is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.key</code> | |||
* intermediate CA cert is in: <code>/root/.acme.sh/lurk.org_ecc/ca.cer</code> | |||
* full-chain cert is in: <code>/root/.acme.sh/lurk.org_ecc/fullchain.cer</code> | |||
== Install the certs for nginx == | |||
The following command will install the certs for nginx, assuming there is a <code>/etc/nginx/certs/</code> directory. Should be set and forget. | |||
acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx" | |||
== Deployment for other services == | |||
<code>acme.sh</code> can also support custom installs of the certificates. They call this deployment, and all the scripts provided by the project can be found in <code>/root/.acme.sh/deploy</code>. | |||
It's possible to make new deploy scripts quite easily, here is an example for <code>cooldaemon.sh</code>: | |||
<pre> | |||
# this makes accessible as variables all the necessary paths and files | |||
cooldaemon_deploy() { | |||
_cdomain="$1" | |||
_ckey="$2" | |||
_ccert="$3" | |||
_cca="$4" | |||
_cfullchain="$5" | |||
_debug _cdomain "$_cdomain" | |||
_debug _ckey "$_ckey" | |||
_debug _ccert "$_ccert" | |||
_debug _cca "$_cca" | |||
_debug _cfullchain "$_cfullchain" | |||
# make a var for the target location | |||
_ssl_path="/etc/cooldaemon/certs/" | |||
# cooldaemon only needs the fullchain perm and the key so | |||
# we only copy these | |||
cp $_ckey $_ssl_path | |||
cp $_cfullchain $_ssl_path | |||
# any extra commands can be added here for instance | |||
# maybe cooldaemon is picky about cert ownership | |||
chown -R cooldaemon:cooldaemon $_ssl_path | |||
# last but not least we reload cool daemon | |||
# please note that some other daemons may need a restart instead | |||
systemctl reload mumble-server | |||
return 0 | |||
} | |||
</pre> | |||
To enable the deployment at every cert renewal: | |||
acme.sh --deploy -d lurk.org -d *.lurk.org --deploy-hook cooldaemon | |||
== | == set up a cron job == | ||
24 3 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --reloadcmd "systemctl force-reload nginx" --renew-hook "/root/icecast_certs.sh" | |||
To be fully modern and cool, we should probably switch from cron to a systemd timer but that's for another day. There's also a deploy script for icecast so this could theoretically all be done in one run but there are no docs for --cron so it's not clear how to set this up. For now we use a post renewal hook that smooshes the certs together for icecast: | |||
<pre> | |||
#!/bin/sh | |||
# turn the acme certs in to a certificate chain for icecast streaming | |||
cat /root/.acme.sh/\*.lurk.org/fullchain.cer > /usr/local/share/icecast/icecast.pem | |||
cat /root/.acme.sh/\*.lurk.org/\*.lurk.org.key >> /usr/local/share/icecast/icecast.pem | |||
systemctl restart icecast | |||
</pre> | |||
[[Category:Certificates]] | [[Category:Certificates]] | ||
Latest revision as of 10:31, 5 March 2025
acme.sh is a lightweight shell script based tool to handle Let's Encrypt certificates, etc.
Install the bash script
wget https://get.acme.sh
As root:
sh acme.sh
This will install the script to /root/.acme and add it to path by sourcing a script from root's .bashrc
Request a wildcard cert for lurk.org
We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of acme.sh. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's .bashrc:
export PORKBUN_API_KEY="..." export PORKBUN_SECRET_API_KEY="..."
When ready and reloaded:
acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org
result:
- cert is in:
/root/.acme.sh/lurk.org_ecc/lurk.org.cer - cert key is in:
/root/.acme.sh/lurk.org_ecc/lurk.org.key - intermediate CA cert is in:
/root/.acme.sh/lurk.org_ecc/ca.cer - full-chain cert is in:
/root/.acme.sh/lurk.org_ecc/fullchain.cer
Install the certs for nginx
The following command will install the certs for nginx, assuming there is a /etc/nginx/certs/ directory. Should be set and forget.
acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx"
Deployment for other services
acme.sh can also support custom installs of the certificates. They call this deployment, and all the scripts provided by the project can be found in /root/.acme.sh/deploy.
It's possible to make new deploy scripts quite easily, here is an example for cooldaemon.sh:
# this makes accessible as variables all the necessary paths and files
cooldaemon_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
# make a var for the target location
_ssl_path="/etc/cooldaemon/certs/"
# cooldaemon only needs the fullchain perm and the key so
# we only copy these
cp $_ckey $_ssl_path
cp $_cfullchain $_ssl_path
# any extra commands can be added here for instance
# maybe cooldaemon is picky about cert ownership
chown -R cooldaemon:cooldaemon $_ssl_path
# last but not least we reload cool daemon
# please note that some other daemons may need a restart instead
systemctl reload mumble-server
return 0
}
To enable the deployment at every cert renewal:
acme.sh --deploy -d lurk.org -d *.lurk.org --deploy-hook cooldaemon
set up a cron job
24 3 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --reloadcmd "systemctl force-reload nginx" --renew-hook "/root/icecast_certs.sh"
To be fully modern and cool, we should probably switch from cron to a systemd timer but that's for another day. There's also a deploy script for icecast so this could theoretically all be done in one run but there are no docs for --cron so it's not clear how to set this up. For now we use a post renewal hook that smooshes the certs together for icecast:
#!/bin/sh # turn the acme certs in to a certificate chain for icecast streaming cat /root/.acme.sh/\*.lurk.org/fullchain.cer > /usr/local/share/icecast/icecast.pem cat /root/.acme.sh/\*.lurk.org/\*.lurk.org.key >> /usr/local/share/icecast/icecast.pem systemctl restart icecast