Add instructions for acme.sh
This commit is contained in:
parent
ba70e648a6
commit
62f6effccd
1 changed files with 88 additions and 0 deletions
88
acmesh.md
Normal file
88
acmesh.md
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
# acme.sh TLS Certificates
|
||||||
|
|
||||||
|
## Install acme.sh
|
||||||
|
|
||||||
|
Add separate user acmeuser.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
adduser --disabled-login acmeuser
|
||||||
|
```
|
||||||
|
|
||||||
|
Install acme.sh as separate user acmeuser
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mkdir /etc/acmesh
|
||||||
|
chown acmeuser /etc/acmesh
|
||||||
|
sudo -su acmeuser
|
||||||
|
|
||||||
|
# Run these commands as user acmeuser
|
||||||
|
cd ~
|
||||||
|
git clone https://github.com/acmesh-official/acme.sh.git
|
||||||
|
cd acme.sh
|
||||||
|
./acme.sh --install \
|
||||||
|
--home /etc/acmesh \
|
||||||
|
--accountemail "hostmaster@domain.tld"
|
||||||
|
cd ~ && rm -r acme.sh
|
||||||
|
source ~/.bashrc
|
||||||
|
acme.sh --set-default-ca --server letsencrypt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Set up DNS validation with knsupdate (Knot)
|
||||||
|
|
||||||
|
Specify the DNS server which hosts your zone and the TSIG key which can update the zone via dynamic updates.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
apt install -y knot-dnsutils
|
||||||
|
|
||||||
|
export KNOT_SERVER="dns.domain.tld"
|
||||||
|
export KNOT_KEY=hmac-sha512:sub.domain.tld:SuperSecretKey==
|
||||||
|
```
|
||||||
|
|
||||||
|
## Issue a certificate
|
||||||
|
|
||||||
|
```bash
|
||||||
|
DOMAINLE=sub.domain.tld; acme.sh --issue -d $DOMAINLE --dns dns_knot --ecc -k ec-384
|
||||||
|
```
|
||||||
|
|
||||||
|
## Install a certificate
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# --cert-file <file> Path to copy the cert file to after issue/renew.
|
||||||
|
# --key-file <file> Path to copy the key file to after issue/renew.
|
||||||
|
# --ca-file <file> Path to copy the intermediate cert file to after issue/renew.
|
||||||
|
# --fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
|
||||||
|
# --reloadcmd <command> Command to execute after issue/renew to reload the server.
|
||||||
|
|
||||||
|
DOMAINLE=sub.domain.tld
|
||||||
|
CERTPATH=/etc/ssl/private/$DOMAINLE
|
||||||
|
mkdir -p $CERTPATH
|
||||||
|
acme.sh --install-cert -d $DOMAINLE --ecc \
|
||||||
|
--fullchain-file $CERTPATH/fullchain.pem \
|
||||||
|
--key-file $CERTPATH/privkey.pem \
|
||||||
|
--ca-file $CERTPATH/chain.pem \
|
||||||
|
--reloadcmd "/usr/bin/systemctl reload nginx.service"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Set up notifications
|
||||||
|
|
||||||
|
Follow instructions for [gotify notifications](https://code.strobeto.de/strobeltobias/acme.sh-notify-hooks#set-notification-for-gotify-webhooks) first.
|
||||||
|
|
||||||
|
Enable notifications via mail (requires local MTA set up for sending mails) and gotify.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
acme.sh --set-notify \
|
||||||
|
--notify-hook mail \
|
||||||
|
--notify-hook gotify \
|
||||||
|
--notify-level 2 \
|
||||||
|
--notify-mode 0
|
||||||
|
```
|
||||||
|
|
||||||
|
## Set correct permissions
|
||||||
|
|
||||||
|
```bash
|
||||||
|
usermod -a -G www-data acmeuser
|
||||||
|
chown -R acmeuser:ssl-cert /etc/ssl/private
|
||||||
|
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
chmod -R 750 /etc/ssl/private
|
||||||
|
find /etc/ssl/private/ -type f -print0 | xargs -0 chmod 0640
|
||||||
|
```
|
Loading…
Reference in a new issue