Both sides previous revision
Previous revision
Next revision
|
Previous revision
Last revision
Both sides next revision
|
userdoc:tt_acme_certificates [2017/09/01 09:42] abelbeck [Issuing Certificates] |
userdoc:tt_acme_certificates [2020/09/07 11:31] abelbeck |
AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. | AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. |
| |
AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/Neilpang/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. | AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/acmesh-official/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. |
| |
The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. | The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. |
| |
The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. | The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. |
| |
| !!Note -> AstLinux 1.4.0!! or later, the "ACME Account Email Address" can be used for renewal notifications, for example: |
| |
| acme-client --set-notify --notify-hook mail --notify-level 2 |
| |
!!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. | !!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. |
| |
pbx4 ~ # acme-client --version | pbx4 ~ # acme-client --version |
https://github.com/Neilpang/acme.sh | https://github.com/acmesh-official/acme.sh |
v2.7.2 | v2.8.7 |
| |
Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... | Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... |
pbx4 ~ # export CF_Email="email@example.com" | pbx4 ~ # export CF_Email="email@example.com" |
| |
Other DNS providers require different exported variables, see the [[https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md|DNS API]] documentation for the details.\\ | Other DNS providers require different exported variables, see the [[https://github.com/acmesh-official/acme.sh/wiki/dnsapi|DNS API]] documentation for the details.\\ |
!!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. | !!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. |
| |
!!Note ->!! The DNS challenge validation credentials remain stored in the ''/mnt/kd/acme/account.conf'' file so auto-renewals can be performed via ''cron''. | !!Note ->!! The DNS challenge validation credentials remain stored in the ''/mnt/kd/acme/account.conf'' file so auto-renewals can be performed via ''cron''. |
| |
!!Special Note ->!! Depending on the acme.sh DNS provider script, some scripts store the exported credentials variable names exactly in ''/mnt/kd/acme/account.conf'' and others prepend ''SAVED_'' to the variable names. When the credentials variable names are stored exactly any changes to the credentials must be done by editing ''/mnt/kd/acme/account.conf''. When the credentials variable names have ''SAVED_'' prepended you may use ''export ...'' later to change the saved credentials. | !!Special Note ->!! Depending on the acme.sh DNS provider script, some scripts store the exported credentials variable names exactly in ''/mnt/kd/acme/account.conf'' and others prepend ''SAVED_'' to the variable names. When the credentials variable names are stored exactly any later changes to the credentials must be done by editing ''/mnt/kd/acme/account.conf''. When the credentials variable names have ''SAVED_'' prepended you may use ''export ...'' later to change the saved credentials. |
| |
\\ | \\ |
| |
pbx4 ~ # acme-client --remove -d pbx4.example.org | pbx4 ~ # acme-client --remove -d pbx4.example.org |
| |
| Enable renewal notifications via email, (AstLinux 1.4.0 or later) |
| |
| pbx4 ~ # acme-client --set-notify --notify-hook mail --notify-level 2 |
| |
| !!Tip ->!! As above, with ''--notify-level 1'' only email errors and ''--notify-level 0'' disables email notifications |
| |
\\ | \\ |