147
edits
Changes
From SME Server
Jump to navigationJump to search→Advanced Topics: Added section on private SME server
These certificates will be automatically renewed, just like the main server certificate.
These certificates will be automatically renewed, just like the main server certificate.
===Obtaining certificates for a private SME Server===
As noted above in the prerequisites section, your SME Server must ordinarily be accessible from the Internet so that the Let's Encrypt servers can validate that you control it. However, if your SME Server is not accessible from the Internet, the smeserver-letsencrypt contrib provides a method that can be used to validate domain control. In order to use this method, the following conditions must be true:
* The hostname of your internal SME Server (example: internal.mydomain.tld) resolves, on the public Internet, to a valid IP address
* The host to which internal.mydomain.tld resolves (example: external.mydomain.tld) has a running web server on port 80
* The root user from internal.mydomain.tld can connect to external.mydomain.tld via SSH without entering a password (i.e., you've set up SSH public key authentication)
This method uses a simple script that's included in the smeserver-letsencrypt contrib, which requires that four database entries be set:
config setprop letsencrypt hookScript enabled
config setprop letsencrypt host '''external.mydomain.tld'''
config setprop letsencrypt user '''root'''
config setprop letsencrypt path '''/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge'''
signal-event console-save
The parts in bold above should be changed to match your situation; the path variable should be the filesystem location that external.mydomain.tld serves as /.well-known/acme-challenge/ . When dehydrated creates the challenge file, it will transfer it via scp to user@host:path/, and then allow the Let's Encrypt server to validate. Once validation is accomplished, the script will remove the challenge file from user@host:path/
= Bugs =
= Bugs =
