| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_acme_certificates [2017/09/01 09:42]
abelbeck [Issuing Certificates] |
userdoc:tt_acme_certificates [2025/02/05 05:16] (current)
mkeuter [ACME (Let's Encrypt) Certificates] |
| AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. | AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. |
| |
| AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/Neilpang/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. | AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/acmesh-official/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. |
| |
| The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. | The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. |
| |
| !!Note: AstLinux 1.3.0 or later is required!! | !!Note: AstLinux 1.3.0 or later is required!! |
| | |
| | \\ |
| | |
| | !!Note:!! From June 2025 on Let's-Encrypt doesn't send expiration/renewal emails anymore automatically. |
| | |
| | You can use a 3rd party service [[https://redsift.com/pulse-platform/certificates-lite|Red Sift Certificates Lite]] free for up to 250 certs. |
| | |
| |
| \\ | \\ |
| |
| The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. | The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. |
| | |
| | !!Note -> AstLinux 1.4.0!! or later, the "ACME Account Email Address" can be used for renewal notifications, more info: **[[userdoc:tt_acme_certificates#additional_cli_commands|Additional CLI Commands]]**. |
| |
| !!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. | !!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. |
| |
| pbx4 ~ # acme-client --version | pbx4 ~ # acme-client --version |
| https://github.com/Neilpang/acme.sh | https://github.com/acmesh-official/acme.sh |
| v2.7.2 | v2.8.7 |
| |
| Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... | Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... |
| pbx4 ~ # export CF_Email="email@example.com" | pbx4 ~ # export CF_Email="email@example.com" |
| |
| Other DNS providers require different exported variables, see the [[https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md|DNS API]] documentation for the details.\\ | Other DNS providers require different exported variables, see the [[https://github.com/acmesh-official/acme.sh/wiki/dnsapi|DNS API]] documentation for the details.\\ |
| !!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. | !!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. |
| |
| !!Note ->!! The DNS challenge validation credentials remain stored in the ''/mnt/kd/acme/account.conf'' file so auto-renewals can be performed via ''cron''. | !!Note ->!! The DNS challenge validation credentials remain stored in the ''/mnt/kd/acme/account.conf'' file so auto-renewals can be performed via ''cron''. |
| |
| !!Special Note ->!! Depending on the acme.sh DNS provider script, some scripts store the exported credentials variable names exactly in ''/mnt/kd/acme/account.conf'' and others prepend ''SAVED_'' to the variable names. When the credentials variable names are stored exactly any changes to the credentials must be done by editing ''/mnt/kd/acme/account.conf''. When the credentials variable names have ''SAVED_'' prepended you may use ''export ...'' later to change the saved credentials. | !!Special Note ->!! Depending on the acme.sh DNS provider script, some scripts store the exported credentials variable names exactly in ''/mnt/kd/acme/account.conf'' and others prepend ''SAVED_'' to the variable names. When the credentials variable names are stored exactly any later changes to the credentials must be done by editing ''/mnt/kd/acme/account.conf''. When the credentials variable names have ''SAVED_'' prepended you may use ''export ...'' later to change the saved credentials. |
| |
| \\ | \\ |
| pbx4 ~ # acme-client --install-cronjob | pbx4 ~ # acme-client --install-cronjob |
| acme-client: Successfully added cron entry. | acme-client: Successfully added cron entry. |
| | |
| |
| \\ | \\ |
| |
| pbx4 ~ # acme-client --remove -d pbx4.example.org | pbx4 ~ # acme-client --remove -d pbx4.example.org |
| | |
| | Enable renewal notifications via email, (AstLinux 1.4.0 or later) |
| | |
| | pbx4 ~ # acme-client --set-notify --notify-hook mail --notify-level 2 |
| | |
| | !!Tip ->!! As above, with ''--notify-level 1'' only email errors and ''--notify-level 0'' disables email notifications |
| |
| \\ | \\ |