diff --git a/linux/letsencrypt/acme-sh.md b/linux/letsencrypt/acme-sh.md index 6d445b3..2fdfc72 100644 --- a/linux/letsencrypt/acme-sh.md +++ b/linux/letsencrypt/acme-sh.md @@ -1,48 +1,48 @@ -# install and configure acme.sh - -## install - -install `socat`: -``` -apt search socat -``` -clone git: -``` -git clone https://github.com/acmesh-official/acme.sh.git -``` -install `acme.sh`: -``` -cd acme.sh -./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail "my@example.com" -``` -logout and log back in to make aliases take effect: -``` -exit -sudo -i -``` - -## issue - -if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run: -``` -acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?} -``` -where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443. - -## deploy - -once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates: -``` -mkdir -p /etc/haproxy/certs -export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs -export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" -``` -finally, deploy the certificate with: -``` -acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?} -``` -acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates. - -## no downtime config - -see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime +# install and configure acme.sh + +## install + +install `socat`: +``` +apt install socat +``` +clone git: +``` +git clone https://github.com/acmesh-official/acme.sh.git +``` +install `acme.sh`: +``` +cd acme.sh +./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail "my@example.com" +``` +logout and log back in to make aliases take effect: +``` +exit +sudo -i +``` + +## issue + +if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run: +``` +acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?} +``` +where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443. + +## deploy + +once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates: +``` +mkdir -p /etc/haproxy/certs +export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs +export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" +``` +finally, deploy the certificate with: +``` +acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?} +``` +acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates. + +## no downtime config + +see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime