Home Blag Links Wireguard About

ACME (1)

2022-02-26

toe@vetinari ~ % certname=sportfreunde-madagaskar.com; sudo -u acme-client-user acme-tiny --account-key /vetinari.oepkes.net/acme-client-user/account.key --csr /vetinari.oepkes.net/certificates/domains/$certname/csr --acme-dir /vetinari.oepkes.net/acme-client-user/challenges | sudo tee /vetinari.oepkes.net/certificates/domains/$certname/certchain.pem; scp /vetinari.oepkes.net/certificates/domains/$certname/certchain.pem root@deworde.oepkes.net:/cryptdata/certificates/domains/$certname/certchain.pem

What this does is

  • use existing CSR
  • request new Let's Encrypt certificate
  • use plain filesystem directory for challenge files
  • use Nginx to serve challenge files
  • (if required) deploy new certificate to respective server

I have one host which takes care of the ACME stuff. The other hosts use something like this to point their HTTP01 folder to the main ACME host:

server {
    listen 80;
    server_name oepkes.net;

    location / {
        proxy_pass http://vetinari.oepkes.net/;
    }

}

And the main ACME host has this:

server {
    listen 80;
    server_name oepkes.net;

    location /.well-known/acme-challenge/ {
        alias /vetinari.oepkes.net/acme-client-user/challenges/;
        try_files $uri =404;
    }
}

And just for reference, I created my CSRs like this:

toe@vetinari ~ % certname=turbojugend-madagaskar.de; sudo mkdir --parents /vetinari.oepkes.net/certificates/domains/$certname; sudo openssl req -new -sha256 -subj "/" -addext "subjectAltName = DNS:$certname, DNS:www.$certname" -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -out /vetinari.oepkes.net/certificates/domains/$certname/csr -keyout /vetinari.oepkes.net/certificates/domains/$certname/key.pem

This is the footer. Not sure if I'll keep it.

Feed · Xkcd · Webdesign