mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to set up/manage services on a computer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
1 Branch
0 Tags
179 KiB
 
Tree: 4856f1e7e5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4856f1e7e5'
${ noResults }
sysadmin/linux/letsencrypt/acme-sh.md

1.4 KiB
Raw Blame History

install and configure acme.sh

install

install socat:

apt install socat

clone git:

git clone https://github.com/acmesh-official/acme.sh.git

install acme.sh:

cd acme.sh
./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail  "my@example.com"

logout and log back in to make aliases take effect:

exit
sudo -i

issue

if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run:

acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?}

where protocol is --standalone if you want to use port 80, or --alpn if you want to use port 443.

deploy

once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and then set the appropriate variables to tell acme.sh where to deploy certificates and deploy the certificates:

mkdir -p /etc/haproxy/certs
DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" \
  acme.sh --deploy --deploy-hook haproxy -d ${domain:?}

acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates.

no downtime config

see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime