Add instructions for acme.sh

This commit is contained in:
Tobias Strobel 2021-09-11 17:22:13 +02:00
parent ba70e648a6
commit 62f6effccd

88
acmesh.md Normal file
View file

@ -0,0 +1,88 @@
# acme.sh TLS Certificates
## Install acme.sh
Add separate user acmeuser.
```bash
adduser --disabled-login acmeuser
```
Install acme.sh as separate user acmeuser
```bash
mkdir /etc/acmesh
chown acmeuser /etc/acmesh
sudo -su acmeuser
# Run these commands as user acmeuser
cd ~
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install \
--home /etc/acmesh \
--accountemail "hostmaster@domain.tld"
cd ~ && rm -r acme.sh
source ~/.bashrc
acme.sh --set-default-ca --server letsencrypt
```
## Set up DNS validation with knsupdate (Knot)
Specify the DNS server which hosts your zone and the TSIG key which can update the zone via dynamic updates.
```bash
apt install -y knot-dnsutils
export KNOT_SERVER="dns.domain.tld"
export KNOT_KEY=hmac-sha512:sub.domain.tld:SuperSecretKey==
```
## Issue a certificate
```bash
DOMAINLE=sub.domain.tld; acme.sh --issue -d $DOMAINLE --dns dns_knot --ecc -k ec-384
```
## Install a certificate
```bash
# --cert-file <file> Path to copy the cert file to after issue/renew.
# --key-file <file> Path to copy the key file to after issue/renew.
# --ca-file <file> Path to copy the intermediate cert file to after issue/renew.
# --fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
# --reloadcmd <command> Command to execute after issue/renew to reload the server.
DOMAINLE=sub.domain.tld
CERTPATH=/etc/ssl/private/$DOMAINLE
mkdir -p $CERTPATH
acme.sh --install-cert -d $DOMAINLE --ecc \
--fullchain-file $CERTPATH/fullchain.pem \
--key-file $CERTPATH/privkey.pem \
--ca-file $CERTPATH/chain.pem \
--reloadcmd "/usr/bin/systemctl reload nginx.service"
```
## Set up notifications
Follow instructions for [gotify notifications](https://code.strobeto.de/strobeltobias/acme.sh-notify-hooks#set-notification-for-gotify-webhooks) first.
Enable notifications via mail (requires local MTA set up for sending mails) and gotify.
```bash
acme.sh --set-notify \
--notify-hook mail \
--notify-hook gotify \
--notify-level 2 \
--notify-mode 0
```
## Set correct permissions
```bash
usermod -a -G www-data acmeuser
chown -R acmeuser:ssl-cert /etc/ssl/private
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
chmod -R 750 /etc/ssl/private
find /etc/ssl/private/ -type f -print0 | xargs -0 chmod 0640
```