-
-
Save Nothing4You/ecbb69d2270e36bac88cfcab9cf736ef to your computer and use it in GitHub Desktop.
Revisions
-
Nothing4You renamed this gist
Jun 28, 2017 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Jun 28, 2017 . 1 changed file with 42 additions and 63 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,8 @@ # Modified for OpenBSD # Assumes being root # Requires curl to be installed, wget can also be used, relevant commands need to be adjusted. acme.sh supports both. # Configured to use Cloudflare DNS for verification # How to use "acme.sh" to set up Lets Encrypt without root permissions # See https://github.com/Neilpang/acme.sh for more @@ -12,96 +17,70 @@ # - Reload your nginx server # First things first - create a user account for acme useradd -m -d /home/acme -s /sbin/nologin -g www acme chmod 700 /home/acme # Create a directory for the acme account to save certs in mkdir /etc/nginx/ssl chown acme.www /etc/nginx/ssl chmod 710 /etc/nginx/ssl # Also make sure the acme user has at least eXecute permissions on all parent # directories of this directory. This will generally be true by default. # Edit your doas.conf to allow the acme user to reload (not restart) nginx echo 'permit nopass acme cmd /etc/rc.d/nginx args reload' >> /etc/doas.conf # Now change to the ACME user - you'll do most of the rest of this guide as them su - -s /usr/local/bin/bash acme export HOME=/home/acme cd /home/acme # Install acme.sh curl -Lo acme.tar.gz https://github.com/Neilpang/acme.sh/archive/master.tar.gz tar xzvf acme.tar.gz cd acme.sh-master ./acme.sh --install # Add account email - optional echo "ACCOUNT_EMAIL='[email protected]'" >> /home/acme/.acme.sh/account.conf # Add Cloudflare api details echo "SAVED_CF_Email='[email protected]'" >> /home/acme/.acme.sh/account.conf echo "SAVED_CF_Key='...'" >> /home/acme/.acme.sh/account.conf # Create script for easier certificate issuance - in this case I always # request example.com and www.example.com, just remove this if you don't # want www.example.com: -d 'www.$1' echo '#!/bin/sh' > /home/acme/acme-nginx echo '/home/acme/.acme.sh/acme.sh --issue --dns dns_cf -d "$1" -d "www.$1" && /home/acme/.acme.sh/acme.sh --installcert -d "$1" --fullchainpath "/etc/nginx/ssl/$1.pem" --keypath "/etc/nginx/ssl/$1.key" --capath "/etc/nginx/ssl/$1.ca" --reloadcmd "doas /etc/rc.d/nginx reload"' >> /home/acme/acme-nginx chmod +x /home/acme/acme-nginx # Create your first certificate (from here on is roughly what you'll repeat) /home/acme/acme-nginx example.com # Drop back to root exit # Now modify your nginx config to work with the new certs vi /etc/nginx/sites-enabled/EXAMPLE.com # Example SSL config section server { ... ssl_certificate /etc/nginx/ssl/EXAMPLE.com.crt; ssl_certificate_key /etc/nginx/ssl/EXAMPLE.com.key; ssl_trusted_certificate /etc/nginx/ssl/EXAMPLE.com.ca; ... } # Test nginx nginx -t # And reload if it worked /etc/rc.d/nginx reload # Congrats, you have letsencrypt and acme.sh isn't running as root on your box. # Don't forget to back up /home/acme/.acme.sh - it has your letsencrypt account keys! -
lachesis revised this gist
May 30, 2016 . 1 changed file with 18 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,12 +2,12 @@ # See https://github.com/Neilpang/acme.sh for more # This assumes that your website has a webroot at "/var/www/<domain>" # I'll use the domain "EXAMPLE.com" as an example # When this is done, there will be an "acme" user that handles issuing, # updating, and installing certificates. This account will have the following # (fairly minimal) permissions: # - Host files at http://EXAMPLE.com/.well-known/acme-challenge # - Copy certificates to /etc/nginx/auth-acme # - Reload your nginx server @@ -21,9 +21,9 @@ sudo chown acme.www-data /etc/nginx/auth-acme sudo chmod 710 /etc/nginx/auth-acme # Create a directory under the webroot for acme to put webroot challenge responses sudo mkdir -p /var/www/EXAMPLE.com/.well-known/acme-challenge sudo chown acme.acme /var/www/EXAMPLE.com/.well-known/acme-challenge sudo chmod 755 /var/www/EXAMPLE.com/.well-known/acme-challenge # Also make sure the acme user has at least eXecute permissions on all parent # directories of this directory. This will generally be true by default. @@ -32,20 +32,20 @@ sudo chmod 755 /var/www/stats.aftbit.com/.well-known/acme-challenge # Lets Encrypt checks on port 80, non-SSL, so you need to at least not redirect # that location. sudo vim /etc/nginx/sites-enabled/EXAMPLE.com ## Example config section: # webroot for acme server { listen [::]:80; server_name EXAMPLE.com; location ~ /.well-known { allow all; root /var/www/EXAMPLE.com; } location / { rewrite ^ https://EXAMPLE.com$request_uri? permanent; } } @@ -72,27 +72,27 @@ cd acme.sh # Create your first certificate (from here on is roughly what you'll repeat) cd /var/lib/acme .acme.sh/acme.sh --issue -d EXAMPLE.com -w /var/www/EXAMPLE.com # If everything went well, install your certificate .acme.sh/acme.sh --installcert -d EXAMPLE.com \ --keypath /etc/nginx/auth-acme/EXAMPLE.com.key \ --capath /etc/nginx/auth-acme/EXAMPLE.com.ca \ --fullchainpath /etc/nginx/auth-acme/EXAMPLE.com.crt \ --reloadcmd "sudo service nginx reload" # Drop back to your own user exit # Now modify your nginx config to work with the new certs sudo vim /etc/nginx/sites-enabled/EXAMPLE.com # Example SSL config section server { ... ssl_certificate /etc/nginx/auth-acme/EXAMPLE.com.crt; ssl_certificate_key /etc/nginx/auth-acme/EXAMPLE.com.key; ssl_trusted_certificate /etc/nginx/auth-acme/EXAMPLE.com.ca; include ssl_settings.conf; ... } -
May 30, 2016 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,6 +13,7 @@ # First things first - create a user account for acme sudo useradd -m -d /var/lib/acme -s /usr/sbin/nologin acme sudo chmod 700 /var/lib/acme # Create a directory for the acme account to save certs in sudo mkdir /etc/nginx/auth-acme @@ -48,6 +49,10 @@ server { } } # Make sure nginx is configured properly sudo nginx -t sudo service nginx reload # Edit your sudoers file to allow the acme user to reload (not restart) nginx sudo visudo # Add the following line: @@ -99,3 +104,4 @@ sudo nginx -t sudo service nginx reload # Congrats, you have letsencrypt and nobody ran anything as root on your box. # Don't forget to back up /var/lib/acme/.acme.sh - it has your letsencrypt account keys! -
May 30, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,7 +20,7 @@ sudo chown acme.www-data /etc/nginx/auth-acme sudo chmod 710 /etc/nginx/auth-acme # Create a directory under the webroot for acme to put webroot challenge responses sudo mkdir -p /var/www/stats.aftbit.com/.well-known/acme-challenge sudo chown acme.acme /var/www/stats.aftbit.com/.well-known/acme-challenge sudo chmod 755 /var/www/stats.aftbit.com/.well-known/acme-challenge -
May 19, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,101 @@ # How to use "acme.sh" to set up Lets Encrypt without root permissions # See https://github.com/Neilpang/acme.sh for more # This assumes that your website has a webroot at "/var/www/<domain>" # I'll use the domain "stats.aftbit.com" as an example # When this is done, there will be an "acme" user that handles issuing, # updating, and installing certificates. This account will have the following # (fairly minimal) permissions: # - Host files at http://stats.aftbit.com/.well-known/acme-challenge # - Copy certificates to /etc/nginx/auth-acme # - Reload your nginx server # First things first - create a user account for acme sudo useradd -m -d /var/lib/acme -s /usr/sbin/nologin acme # Create a directory for the acme account to save certs in sudo mkdir /etc/nginx/auth-acme sudo chown acme.www-data /etc/nginx/auth-acme sudo chmod 710 /etc/nginx/auth-acme # Create a directory under the webroot for acme to put webroot challenge responses sudo mkdir /var/www/stats.aftbit.com/.well-known/acme-challenge sudo chown acme.acme /var/www/stats.aftbit.com/.well-known/acme-challenge sudo chmod 755 /var/www/stats.aftbit.com/.well-known/acme-challenge # Also make sure the acme user has at least eXecute permissions on all parent # directories of this directory. This will generally be true by default. # Edit your nginx config file to publish the well-known directory on your site. # Lets Encrypt checks on port 80, non-SSL, so you need to at least not redirect # that location. sudo vim /etc/nginx/sites-enabled/stats.aftbit.com ## Example config section: # webroot for acme server { listen [::]:80; server_name stats.aftbit.com; location ~ /.well-known { allow all; root /var/www/stats.aftbit.com; } location / { rewrite ^ https://stats.aftbit.com$request_uri? permanent; } } # Edit your sudoers file to allow the acme user to reload (not restart) nginx sudo visudo # Add the following line: acme ALL=(ALL) NOPASSWD: /usr/sbin/service nginx reload # Now change to the ACME user - you'll do most of the rest of this guide as them sudo -s -u acme bash export HOME=/var/lib/acme cd /var/lib/acme # Install acme.sh git clone https://github.com/Neilpang/acme.sh.git cd acme.sh ./acme.sh --install # Create your first certificate (from here on is roughly what you'll repeat) cd /var/lib/acme .acme.sh/acme.sh --issue -d stats.aftbit.com -w /var/www/stats.aftbit.com # If everything went well, install your certificate .acme.sh/acme.sh --installcert -d stats.aftbit.com \ --keypath /etc/nginx/auth-acme/stats.aftbit.com.key \ --capath /etc/nginx/auth-acme/stats.aftbit.com.ca \ --fullchainpath /etc/nginx/auth-acme/stats.aftbit.com.crt \ --reloadcmd "sudo service nginx reload" # Drop back to your own user exit # Now modify your nginx config to work with the new certs sudo vim /etc/nginx/sites-enabled/stats.aftbit.com # Example SSL config section server { ... ssl_certificate /etc/nginx/auth-acme/stats.aftbit.com.crt; ssl_certificate_key /etc/nginx/auth-acme/stats.aftbit.com.key; ssl_trusted_certificate /etc/nginx/auth-acme/stats.aftbit.com.ca; include ssl_settings.conf; ... } # Test nginx sudo nginx -t # And reload if it worked sudo service nginx reload # Congrats, you have letsencrypt and nobody ran anything as root on your box.