mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Merge branch 'master' of ssh://medusa.casa.alemor.org:4323/mar/sysadmin-docs

master
Mario Alegre 5 years ago
parent
d96a867978 3798234aed
commit
df7920a009
1 changed files with 48 additions and 48 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 96
      linux/letsencrypt/acme-sh.md

96
linux/letsencrypt/acme-sh.md
View File

@ -1,48 +1,48 @@
# install and configure acme.sh # install and configure acme.sh
## install ## install
install `socat`: install `socat`:
``` ```
apt search socat apt install socat
``` ```
clone git: clone git:
``` ```
git clone https://github.com/acmesh-official/acme.sh.git git clone https://github.com/acmesh-official/acme.sh.git
``` ```
install `acme.sh`: install `acme.sh`:
``` ```
cd acme.sh cd acme.sh
./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail "my@example.com" ./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail "my@example.com"
``` ```
logout and log back in to make aliases take effect: logout and log back in to make aliases take effect:
``` ```
exit exit
sudo -i sudo -i
``` ```
## issue ## issue
if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run: if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run:
``` ```
acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?} acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?}
``` ```
where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443. where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443.
## deploy ## deploy
once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates: once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates:
``` ```
mkdir -p /etc/haproxy/certs mkdir -p /etc/haproxy/certs
export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs
export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload"
``` ```
finally, deploy the certificate with: finally, deploy the certificate with:
``` ```
acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?} acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?}
``` ```
acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates. acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates.
## no downtime config ## no downtime config
see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime

Write Preview
Loading…
Cancel
Save