From 62f6effccde6c16a7b8e95711473a7e8d57065bc Mon Sep 17 00:00:00 2001
From: Tobias Strobel <code@strobel.one>
Date: Sat, 11 Sep 2021 17:22:13 +0200
Subject: [PATCH] Add instructions for acme.sh

---
 acmesh.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 acmesh.md

diff --git a/acmesh.md b/acmesh.md
new file mode 100644
index 0000000..15835fb
--- /dev/null
+++ b/acmesh.md
@@ -0,0 +1,88 @@
+# acme.sh TLS Certificates
+
+## Install acme.sh
+
+Add separate user acmeuser.
+
+```bash
+adduser --disabled-login acmeuser
+```
+
+Install acme.sh as separate user acmeuser
+
+```bash
+mkdir /etc/acmesh
+chown acmeuser /etc/acmesh
+sudo -su acmeuser
+
+# Run these commands as user acmeuser
+cd ~
+git clone https://github.com/acmesh-official/acme.sh.git
+cd acme.sh
+./acme.sh --install  \
+--home /etc/acmesh \
+--accountemail  "hostmaster@domain.tld"
+cd ~ && rm -r acme.sh
+source ~/.bashrc
+acme.sh --set-default-ca --server letsencrypt
+```
+
+## Set up DNS validation with knsupdate (Knot)
+
+Specify the DNS server which hosts your zone and the TSIG key which can update the zone via dynamic updates.
+
+```bash
+apt install -y knot-dnsutils
+
+export KNOT_SERVER="dns.domain.tld"
+export KNOT_KEY=hmac-sha512:sub.domain.tld:SuperSecretKey==
+```
+
+## Issue a certificate
+
+```bash
+DOMAINLE=sub.domain.tld; acme.sh --issue -d $DOMAINLE --dns dns_knot --ecc -k ec-384
+```
+
+## Install a certificate
+
+```bash
+# --cert-file <file>                Path to copy the cert file to after issue/renew.
+# --key-file <file>                 Path to copy the key file to after issue/renew.
+# --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
+# --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.
+# --reloadcmd <command>             Command to execute after issue/renew to reload the server.
+
+DOMAINLE=sub.domain.tld
+CERTPATH=/etc/ssl/private/$DOMAINLE
+mkdir -p $CERTPATH
+acme.sh --install-cert -d $DOMAINLE --ecc \
+    --fullchain-file $CERTPATH/fullchain.pem \
+    --key-file $CERTPATH/privkey.pem \
+    --ca-file $CERTPATH/chain.pem \
+    --reloadcmd "/usr/bin/systemctl reload nginx.service"
+```
+
+## Set up notifications
+
+Follow instructions for [gotify notifications](https://code.strobeto.de/strobeltobias/acme.sh-notify-hooks#set-notification-for-gotify-webhooks) first.
+
+Enable notifications via mail (requires local MTA set up for sending mails) and gotify.
+
+```bash
+acme.sh --set-notify \
+    --notify-hook mail \
+    --notify-hook gotify \
+    --notify-level 2 \
+    --notify-mode 0
+```
+
+## Set correct permissions
+
+```bash
+usermod -a -G www-data acmeuser
+chown -R acmeuser:ssl-cert /etc/ssl/private
+chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+chmod -R 750 /etc/ssl/private
+find /etc/ssl/private/ -type f -print0 | xargs -0 chmod 0640
+```
\ No newline at end of file