Posted at: 2020-08-30 23:00 CEST
Length: 625 words (3 minutes)
Tags: [
web
ssl
nginx ]
Once upon a time, the web was wild. I mean, it still is, but some people have tried to make order from it, and set up boundaries. Once upon a time, all data sent over the web was plain to see for everyone who dared to look. This wasn't all too great when people started using passwords to log in to places, or do their banking online. So some people set out to make sure the data being sent from place to place (ie. from your web browser or other client, to whichever server you connect to, and back again) could not be spied upon.
This sounds all good and nice, but getting a valid certificate costs a bit. At least until Let's Encrypt arrived. Now everyone can get valid certificates for free. If they figure out how to get it working, and that's what I set out to do today since I plan on exposing some of my machines to the wide open internet.
Having looked around a little bit, I found the acme.sh client, and figured that it was good enough. I've decided to use my web server to get the certificate, and then distribute it from there to other machines that need it.
Installing on FreeBSD is simple enough:
# pkg install acme.sh
There are multiple tutorials online on how to get going with
acme.sh and how it works, so I'll not go over that here. Save for one gotcha
that I couldn't find a reference to, it's possible that it doesn't appear on
Linux, and I guess that's what most people use. I'll have to copy the folder
with DNS API files to the home folder of root (as that's the user that'll run
acme.sh). Also, set the permissions on the .acme.sh folder so that it's
only usable by root (because I don't want anyone other than me getting
access to my private key). Not that anyone else should be having access to my
server anyway, but it certainly doesn't hurt restricting access.
# mkdir ~/.acme.sh
# chmod 700 ~/.acme.sh
# cp -r /usr/local/share/examples/acme.sh/dnsapi ~/.acme.sh/
Now I'm ready to test. Since I use the Swedish domain registrar Loopia, and decided to use acme.sh's DNS mode, I use the variable names suitable for them:
# set LOOPIA_User="********@loopiaapi"
# set LOOPIA_Password="********************"
# acme.sh --test --issue --debug -d "*.ops-area.net" -d "ops-area.net" --dns dns_loopia
Do note, Loopia seems to have a bug (or had a while ago when I first messed about with this, I don't know if they've fixed it since), the API user's username must be in lower-case when logging in, regardless of how you created it in their web interface.
The --dns attribute should (according to acme.sh --help) be able to take
a path to a DNS API file, but it would not work if I used
/usr/local/share/examples/acme.sh/dnsapi/dns_loopia.sh, thus the need to
copy it to ~/.acme.sh/ first.
Anyway. That works fine. Now to make it real and automate it, because I'm lazy and don't want to need to think about it every three months. Everything that can be automated, should.
# mkdir -p /usr/local/etc/nginx/certs/keys
# chmod 700 /usr/local/etc/nginx/certs/keys
# acme.sh --issue -d "*.ops-area.net" -d "ops-area.net" --dns dns_loopia
# acme.sh --install-cert -d "*.ops-area.net" --cert-file /usr/local/etc/nginx/certs/ops-area.net.cer --key-file /usr/local/etc/nginx/certs/keys/ops-area.net.key --reloadcmd "service nginx restart"
For automation, I first create a script with everything I want done...
# touch /usr/local/sbin/acme-renew.sh
# chmod 700 /usr/local/sbin/acme-renew.sh
# edit /usr/local/sbin/acme-renew.sh
acme.sh --renew -d "*.ops-area.net" -d "ops-area.net" --dns dns_loopia
acme.sh --install-cert -d "*.ops-area.net" --cert-file /usr/local/etc/nginx/certs/ops-area.net.cer --key-file /usr/local/etc/nginx/certs/keys/ops-area.net.key --reloadcmd "service nginx restart"
... and then edit /etc/crontab to set that script to run every second month.
30 0 1 2/2 * root /usr/local/sbin/acme-renew.sh
And now I just hope it works.
<- Previous post | Next post ->
Copyright © 2020 Carl K.H.
Latest post at: 2020-09-07 07:00 CEST