Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
userdoc:tt_acme_certificates [2020/09/07 11:28] abelbeck [Issuing Certificates] |
userdoc:tt_acme_certificates [2020/09/07 11:34] (current) abelbeck [ACME Configuration] |
AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. | AstLinux now supports generating [[https://letsencrypt.org|Let's Encrypt]] certificates using the [[wp>Automated_Certificate_Management_Environment|ACME]] protocol. |
| |
AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/Neilpang/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. | AstLinux uses the ''acme-client'' command as a front-end to the core ''acme.sh'' script provided by the [[https://github.com/acmesh-official/acme.sh|acme.sh]] project. The ''acme-client'' command limits issued certificates to only use DNS challenge validation, as such you need a supported DNS provider, of which there are well over 20 as of this writing. |
| |
The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. | The Command Line Interface (CLI) must be used to initially issue and deploy ACME certificates. |
The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. | The "ACME Account Email Address" registration email address is used for expiry notifications, while optional it seems like a good idea to specify. |
| |
!!Note -> AstLinux 1.4.0!! or later, the "ACME Account Email Address" can be used for renewal notifications, for example: | !!Note -> AstLinux 1.4.0!! or later, the "ACME Account Email Address" can be used for renewal notifications, more info: **[[userdoc:tt_acme_certificates#additional_cli_commands|Additional CLI Commands]]**. |
| |
acme-client --set-notify --notify-hook mail --notify-level 2 | |
| |
!!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. | !!Tip ->!! Clicking on the blue ''(i)'' icon will display topic information text similar to this documentation page. |
| |
pbx4 ~ # acme-client --version | pbx4 ~ # acme-client --version |
https://github.com/Neilpang/acme.sh | https://github.com/acmesh-official/acme.sh |
v2.7.2 | v2.8.7 |
| |
Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... | Only DNS challenge validation is supported within AstLinux, as such you need a supported DNS provider, in this example we are using Cloudflare. We need to export the ''CF_Key'' and ''CF_Email'' variables, adjust to match your credentials ... |
pbx4 ~ # export CF_Email="email@example.com" | pbx4 ~ # export CF_Email="email@example.com" |
| |
Other DNS providers require different exported variables, see the [[https://github.com/acmesh-official/acme.sh/wiki/dnsapi/README.md|DNS API]] documentation for the details.\\ | Other DNS providers require different exported variables, see the [[https://github.com/acmesh-official/acme.sh/wiki/dnsapi|DNS API]] documentation for the details.\\ |
!!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. | !!Tip ->!! Mentally replace ''acme.sh'' with ''acme-client'' when referencing the acme.sh documentation. |
| |