1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
(tried on Centos 6.9)
yum install openssl-devel libbsd-devel gnutls-devel
wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.0.tar.gz
#build libreesl to /usr/local/
make
make install
# follow https://spin.atomicobject.com/2016/09/20/openbsd-acme-client-lets-encrypt/
cat >/etc/ld.so.conf.d/local.conf <<EOF
/usr/local/lib/
EOF
ldconfig
wget -O /etc/ssl/cert.pem 'https://raw.githubusercontent.com/libressl-portable/openbsd/master/src/lib/libcrypto/cert.pem'
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "DNS problem: query timed out looking up A for www.eurospider.com", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/x0oE6rQYMBh6qQIisSzqZecrRFkED-7u7Y-vuid5kKw/1713819082", "token": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "keyAuthorization": "IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ.xbEUn0BT4rXH5TjxcmmW1Yjoyb1GWDrQEByNfXawgRc", "validationRecord": [ { "url": "http://www.eurospider.com/.well-known/acme-challenge/IzPOcU-2sFKk65DAk3egE1g2j17f9K3V_pcG0KvrfjQ", "hostname": "www.eurospider.com", "port": "80", "addressesResolved": [], "addressUsed": "", "addressesTried": [] } ] }] (792 bytes)
CNAME DNS entries don't work, so we must provide the real machine as primary host,
everything else as SANs.
acme-client -v -n -N -F -b -e \
-C /var/www/acme \
-c /etc/ssl/acme \
-k /etc/ssl/acme/private/privkey.pem \
-f /etc/acme/privkey.pem www.eurospider.com eurospider.com innobib.news www.innobib.news www.tenders.ch
-b create backups
-F is to update even if the current certificate is still valid
-e is needed to avoid revocation and expanding the list of SANs.
webserver:
main http.conf:
<Directory "/var/www/acme/.well-known/">
Options None
AllowOverride None
Order Deny,Allow
Allow from All
Header add Content-Type text/plain
</Directory>
for every domain we want a certificate for (in the non-SSL-version of the virtual
host configuration):
Alias /.well-known/acme-challenge/ /var/www/acme/
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
links
-----
https://www.metachris.com/2015/12/comparison-of-10-acme-lets-encrypt-clients/
https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f
https://kristaps.bsd.lv/acme-client/
|
