Changes

From SME Server
Jump to navigationJump to search
5,160 bytes added ,  07:06, 20 June 2022
Line 54: Line 54:     
Which API version to use
 
Which API version to use
 +
 +
== Manual Installation of Dehydrated ==
 +
 +
 +
{{warning box| the following is not to be executed if you have installed the smeserver-letsencrypt contrib rpm as it is already handled by the contrib}}
 +
As discussed above, dehydrated is a lightweight ACME client that's implemented as a BASH script.  It has very few dependencies, and is a better fit for the "SME way" of doing things than the official certbot client.  If you'd prefer to configure it manually, rather than installing the contrib described above, you may do so manually or by pulling a copy of the latest version using git.
 +
 +
===Install of Dehydrated rpm from smecontrib repository===
 +
The dehydrated script has been imported into the contribs repository and can be installed as follows:
 +
 +
yum --enablerepo=smecontribs install dehydrated
 +
 +
The script must be configured as described below.
 +
 +
===Git install of latest version===
 +
 +
If you need or want the absolute latest version of the script then you can manually install as follows:
 +
 +
Begin by installing git:
 +
yum install git
 +
 +
Then download the Dehydrated client:
 +
cd /etc
 +
git clone https://github.com/lukas2511/dehydrated
 +
mv dehydrated/dehydrated /usr/local/bin/
 +
 +
===Manual Configuration of Dehydrated===
 +
 +
You'll need to create two configuration files for Dehydrated.
 +
cd /etc/dehydrated
 +
mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 +
nano -w domains.txt
 +
 +
In this file, you'll list every hostname that you want your certificate to cover, all on one line.  It will look like this:
 +
domain1.com www.domain1.com mail.domain1.com domain2.net www.domain2.net domain3.org ftp.domain3.org
 +
Ctrl-X to exit, Y to save.
 +
 +
Second, you'll need to create the configuration file '''config''':
 +
nano -w config
 +
 +
It should look like this:
 +
#!/bin/bash
 +
# config
 +
# CA="https://acme-staging.api.letsencrypt.org/directory"
 +
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
 +
HOOK="/usr/local/bin/dehydrated-hook"
 +
# E-mail to use during the registration (default: <unset>)
 +
CONTACT_EMAIL="admin@yourdomain.com"
 +
 +
Ctrl-X to exit, Y to save.
 +
 +
For testing purposes, it's recommended that you uncomment the third line (so it begins with "CA=").  Any certificates issued while testing will not be trusted, but they will also not count against your rate limits.  Once your configuration is set, you can comment out that line and re-run dehydrated.
 +
 +
You'll need to create a custom "hook" script to set the config database up properly, and to trigger reloads of your system services when a certificate is issued or renewed.
 +
nano /usr/local/bin/dehydrated-hook
 +
 +
Its contents should look like this:
 +
#!/bin/bash
 +
 +
if [ $1 = "deploy_cert" ]; then
 +
  KEY=$3
 +
  CERT=$4
 +
  CHAIN=$6
 +
  /sbin/e-smith/db configuration setprop modSSL key $KEY
 +
  /sbin/e-smith/db configuration setprop modSSL crt $CERT
 +
  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
 +
  /sbin/e-smith/signal-event ssl-update
 +
fi
 +
 +
Ctrl-X to exit, Y to save.  Then make it executable:
 +
chmod +x /usr/local/bin/dehydrated-hook
 +
 +
You'll also need to create a custom template fragment for Apache:
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME
 +
 +
The contents of that file should look like:
 +
# Alias for letsencrypt
 +
Alias /.well-known/acme-challenge /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
 +
Again, Ctrl-X to exit, Y to save.
 +
 +
Expand the template and restart apache:
 +
expand-template /etc/httpd/conf/httpd.conf
 +
service httpd-e-smith restart
 +
 +
Now you're ready to run dehydrated and get your certificate.
 +
dehydrated -c
 +
 +
The script will run for a moment and should report success.  If it does, look in /etc/dehydrated/certs/YOURDOMAIN and see if you have your files there.  You should see a number of .pem files, at least one .csr file, and five symbolic links (chain.pem, cert.csr, cert.pem, fullchain.pem, and privkey.pem).  If you do, congratulations!  You've successfully obtained your certificate.  The hook script should have also configured your server to use the new certificate.  To make sure, run
 +
config show modSSL
 +
and make sure there are values set for crt, key, and CertificateChainFile.
 +
 +
If dehydrated ran successfully in test mode, comment out the CA= line in /etc/dehydrated/config and run
 +
dehydrated -c -x
 +
 +
to obtain trusted a trusted certificate.
 +
 +
===Renewal===
 +
When run, the dehydrated script will check your existing certificate to see how long it's valid.  If it has less than 30 days' lifetime remaining (by default; this can be changed by setting RENEW_DAYS in config to something other than 30), the script will renew your certificates.  If more than 30 days remain, the script will exit without further action.  All that's necessary is to run dehydrated daily:
 +
nano -w /etc/cron.daily/call-dehydrated
 +
 +
Enter the following in this file:
 +
#!/bin/bash
 +
/usr/bin/dehydrated -c
 +
Ctrl-X to exit, Y to save.  Then make it executable:
 +
chmod +x /etc/cron.daily/call-dehydrated
 +
 +
{{warning box| end of the manual installation and configuration of dehydrated without smeserver-letsencrypt contrib}}
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,254

edits

Navigation menu