Wildcard Certificates with acme.sh: Difference between revisions

From Run Your Own
Jump to navigation Jump to search
No edit summary
Line 2: Line 2:


== Install the bash script ==
== Install the bash script ==
  wget https://get.acme.sh  
  wget https://get.acme.sh  


Line 12: Line 11:


== Request a wildcard cert for lurk.org ==
== Request a wildcard cert for lurk.org ==
We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of <code>acme.sh</code>. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's <code>.bashrc</code>:


We use wildcard certificates with DNS authentification
export PORKBUN_API_KEY="..."
first find and export the gandi dns key:
  export PORKBUN_SECRET_API_KEY="..."
 
  export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfk"  


Then request a wildcard cert. (the dns key is added to a config file automatically for future renewals)
When ready and reloaded:


  acme.sh --issue --dns dns_gandi_livedns --nginx -d *.lurk.org
  acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org


Find the certs in:
result:


/root/.acme.sh/\*.lurk.org/
* cert is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.cer</code>
* cert key is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.key</code>
* intermediate CA cert is in: <code>/root/.acme.sh/lurk.org_ecc/ca.cer</code>
* full-chain cert is in: <code>/root/.acme.sh/lurk.org_ecc/fullchain.cer</code>


== Install the certs for nginx ==
== Install the certs for nginx ==

Revision as of 22:34, 12 October 2024

acme.sh is a lightweight shell script based tool to handle Let's Encrypt certificates, etc.

Install the bash script

wget https://get.acme.sh 

As root:

sh acme.sh

This will install the script to /root/.acme and add it to path by sourcing a script from root's .bashrc

Request a wildcard cert for lurk.org

We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of acme.sh. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's .bashrc:

export PORKBUN_API_KEY="..."
export PORKBUN_SECRET_API_KEY="..."

When ready and reloaded:

acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org

result:

  • cert is in: /root/.acme.sh/lurk.org_ecc/lurk.org.cer
  • cert key is in: /root/.acme.sh/lurk.org_ecc/lurk.org.key
  • intermediate CA cert is in: /root/.acme.sh/lurk.org_ecc/ca.cer
  • full-chain cert is in: /root/.acme.sh/lurk.org_ecc/fullchain.cer

Install the certs for nginx

Deployment for other services