|
|
| Line 2: |
Line 2: |
| == Using acme.sh == | | == Using acme.sh == |
|
| |
|
| Since the certbot gandi dns plugin has been giving issues over the past months (no smooth renewal, leading to unavailability of sites) we started moving things to acme.sh. Seems to work better, easier to setup etc.
| | <code>acme.sh</code> is a lightweight shell script based tool to handle Let's Encrypt certificates. |
|
| |
|
| === Install the bash script === | | === Install the bash script === |
| Line 12: |
Line 12: |
| sh acme.sh | | sh acme.sh |
|
| |
|
| This will install the script to /root/ and add it to path | | This will install the script to <code>/root/.acme</code> and add it to path by sourcing a script from root's <code>.bashrc</code> |
|
| |
|
| === Request a wildcard cert for lurk.org === | | === Request a wildcard cert for lurk.org === |
|
| |
|
| | We use wildcard certificates with DNS authentification |
| first find and export the gandi dns key: | | first find and export the gandi dns key: |
|
| |
|
| Line 28: |
Line 29: |
| /root/.acme.sh/\*.lurk.org/ | | /root/.acme.sh/\*.lurk.org/ |
|
| |
|
| == Migration status == | | === Install the certs for nginx === |
|
| |
|
| Done:
| | === Deployment for other services === |
|
| |
|
| * VMB (nginx, masto, icecast)
| |
|
| |
|
| To do:
| |
|
| |
|
| * agnes (nginx, prosody, mm3)
| |
| * douglas (???)
| |
|
| |
|
| == Ref ==
| |
|
| |
| * https://forums.freebsd.org/threads/howto-ssl-tls-certificates-with-acme-sh.61231/ (FreeBSD)
| |
|
| |
|
| |
| = N.B. everything below is for archival reference =
| |
|
| |
|
| |
|
| |
| == Base installation ==
| |
|
| |
| apt install python-pip
| |
| pip install wheel
| |
| pip install certbot
| |
|
| |
| == DNS plugins ==
| |
| === Gandi ===
| |
| '''NOTE: At time of writing, only an API key from the domain owner will work. So another account, even if listed technical contact, will not able to use the live DNS API, just the live DNS web interface. Since the writing of this HOWTO, there is now this as well https://github.com/obynio/certbot-plugin-gandi TODO'''
| |
|
| |
| * Get API key from Gandi (somewhere in account settings)
| |
| * install certbot-plugin-gandi
| |
| pip install 'git+https://gitlab.com/cspublic/certbot-plugin-gandi.git'
| |
| mkdir /etc/certbot-plugin-gandi
| |
| * create /etc/certbot-plugin-gandi/gandi.ini with the following:
| |
| certbot_plugin_gandi:dns_api_key=APIKEY
| |
| * a bit of paranoia
| |
| chmod 600 /etc/certbot-plugin-gandi/gandi.ini
| |
| * request certificate for both mydomain.blabla '''and''' *.mydomain.blabla
| |
| '''NOTE: At time of writing, the default sever end point used by cerbot (0.22) is not compatible with ACME v2, as a workaround --server must be passed manually. Next version of certbot should point to the right server'''
| |
| /usr/local/bin/certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/certbot-plugin-gandi/gandi.ini -d mydomain.blabla -d *.mydomain.blabla --server https://acme-v02.api.letsencrypt.org/directory
| |
| * If all goes well certs will be there:
| |
| '''NOTE: At time of writing, certbot-plugin-gandi seems to behave a bit funnily when asked to request a challenge for a wildcard cert (it works flawslessly for regular domains). It might be needed to run the command several times to get the infamous CONGRATULATION message from certbot.'''
| |
| /etc/letsencrypt/live/mydomain.blabla/fullchain.pem
| |
| /etc/letsencrypt/live/mydomain.blabla/privkey.pem
| |
|
| |
| == Renewal ==
| |
| To non-interactively renew *all* of your certificates:
| |
| /usr/local/bin/certbot renew
| |
|
| |
| === douglas ===
| |
| === agnes ===
| |
| '''TODO: hooks!'''
| |
| <pre>
| |
| service nginx restart
| |
| prosodyctl reload
| |
| </pre>
| |
|
| |
|
| [[Category:Certificates]] | | [[Category:Certificates]] |
Using acme.sh
acme.sh is a lightweight shell script based tool to handle Let's Encrypt certificates.
Install the bash script
wget https://get.acme.sh
As root:
sh acme.sh
This will install the script to /root/.acme and add it to path by sourcing a script from root's .bashrc
Request a wildcard cert for lurk.org
We use wildcard certificates with DNS authentification
first find and export the gandi dns key:
export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfk"
Then request a wildcard cert. (the dns key is added to a config file automatically for future renewals)
acme.sh --issue --dns dns_gandi_livedns --nginx -d *.lurk.org
Find the certs in:
/root/.acme.sh/\*.lurk.org/
Install the certs for nginx
Deployment for other services