Benutzer-Werkzeuge

Webseiten-Werkzeuge


freebsd:acme.sh

acme.sh

Installation:

pkg install acme.sh

Configuration is in:

/var/db/acme/.acme.sh/account.conf

Certificates are stored in

/var/db/acme/certs/

As the certificates are only accessible by user acme, we need to do an additional step to make the certificates available to dovecot/postfix/haproxy.

We do not modify any daemon but we let acme.sh write into a common/shared directory each website is using, so doing anything with acme.sh does not have any impact on any service from your server

As next we configure log rotation:

cp /usr/local/share/examples/acme.sh/acme.sh.conf /usr/local/etc/newsyslog.conf.d/

Make sure you uncomment the line in /usr/local/share/examples/acme.sh/acme.sh.conf:

/var/log/acme.sh.log  acme:acme       640  90    *    @T00   BC

Next is to configure cron to automatically renew your certificates. For this we edit /etc/crontab

# Renew certificates created by acme.sh
MAILTO="idefix"
7       2       *       *       *       acme    /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh > /dev/null

We need to create the logfile:

touch /var/log/acme.sh.log
chown acme /var/log/acme.sh.log

Allow acme to write the challenge files:

mkdir -p 
/usr/local/www/letsencrypt/.well-known/
chgrp acme /usr/local/www/letsencrypt/.well-known/
chmod g+w /usr/local/www/letsencrypt/.well-known/

Setup configuration of acme.sh:

echo ACCOUNT_EMAIL=\"name@yourdomain.tld\" >> account.conf

Hook the own custom deploy scripts from: https://gitlab.fechner.net/mfechner/letsencrypt_hooks Make sure you create a config file and now symlink the hook:

cd /var/db/acme/.acme.sh/deploy
ln -s /usr/home/idefix/letsencrypt/create-haproxy-ssl-restart-all_acme.sh

Now we can create our first test certificate (run this as root):

su -l acme -c "cd /var/db/acme && acme.sh --issue --test -k ec-256 -w /usr/local/www/letsencrypt --ocsp -d webmail.fechner.net -d wiki.idefix.fechner.net --deploy-hook create-haproxy-ssl-restart-all_acme"
su -l acme -c "cd /var/db/acme && acme.sh --issue --test -w /usr/local/www/letsencrypt --ocsp -d webmail.fechner.net -d wiki.idefix.fechner.net --deploy-hook create-haproxy-ssl-restart-all_acme"

Now you should find an RSA and a ECDSA certificate in:

/var/db/acme/certs

As we will renew certificates of many domains, but tools like dovecot/postfix/haproxy need a directory or a single file we need to prepare these files and copy them with correct permissions to destination folders.

freebsd/acme.sh.txt · Zuletzt geändert: 2022/06/15 10:31 (Externe Bearbeitung)