diff options
Diffstat (limited to 'static/howtos/HOWTO.LetsEncrypt')
| -rw-r--r-- | static/howtos/HOWTO.LetsEncrypt | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/static/howtos/HOWTO.LetsEncrypt b/static/howtos/HOWTO.LetsEncrypt new file mode 100644 index 0000000..e88d31d --- /dev/null +++ b/static/howtos/HOWTO.LetsEncrypt @@ -0,0 +1,59 @@ +(tried on Centos 6.9) + +yum install openssl-devel libbsd-devel gnutls-devel +wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.0.tar.gz +#build libreesl to /usr/local/ +make +make install +# follow https://spin.atomicobject.com/2016/09/20/openbsd-acme-client-lets-encrypt/ +cat >/etc/ld.so.conf.d/local.conf <<EOF +/usr/local/lib/ +EOF +ldconfig + +wget -O /etc/ssl/cert.pem 'https://raw.githubusercontent.com/libressl-portable/openbsd/master/src/lib/libcrypto/cert.pem' + +acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: query timed out looking up A for www.eurospider.com", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x0oE6rQYMBh6qQIisSzqZecrRFkED-7u7Y-vuid5kKw/1713819082", "token": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "keyAuthorization": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ.xbEUn0BT4rXH5TjxcmmW1Yjoyb1GWDrQEByNfXawgRc", "validationRecord": [ { "url": "http://www.eurospider.com/.well-known/acme-challenge/IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "hostname": "www.eurospider.com", "port": "80", "addressesResolved": [], "addressUsed": "", "addressesTried": [] } ] }] (792 bytes) + +CNAME DNS entries don't work, so we must provide the real machine as primary host, +everything else as SANs. + +acme-client -v -n -N -F -b -e \ + -C /var/www/acme \ + -c /etc/ssl/acme \ + -k /etc/ssl/acme/private/privkey.pem \ + -f /etc/acme/privkey.pem www.eurospider.com eurospider.com innobib.news www.innobib.news www.tenders.ch + +-b create backups +-F is to update even if the current certificate is still valid +-e is needed to avoid revocation and expanding the list of SANs. + +webserver: + +main http.conf: + +<Directory "/var/www/acme/.well-known/"> + Options None + AllowOverride None + Order Deny,Allow + Allow from All + Header add Content-Type text/plain +</Directory> + +for every domain we want a certificate for (in the non-SSL-version of the virtual +host configuration): + +Alias /.well-known/acme-challenge/ /var/www/acme/ + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + +links +----- + +https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/ +https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f +https://kristaps.bsd.lv/acme-client/ |