LetsEncrypt on len.dfri.se
Install package
pkg install dehydrated
Variables
export CONTACT=hostmaster@dfri.se export CN=dfri.se SAN=www.dfri.se
Configure dehydrated
cat /usr/local/etc/dehydrated/config.example | sed -e 's|#HOOK=|HOOK=${BASEDIR}/hook.sh|1' -e "s/#CONTACT_EMAIL=/CONTACT_EMAIL=${CONTACT}/1" > /usr/local/etc/dehydrated/config cp /usr/local/etc/dehydrated/hook.sh.example /usr/local/etc/dehydrated/hook.sh $EDITOR /usr/local/etc/dehydrated/hook.sh # replace deploy_cert(): function deploy_cert { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" DEST=/usr/local/etc/lighttpd/certs/${DOMAIN}.pem cat $KEYFILE $CERTFILE $CHAINFILE > $DEST chmod 640 $DEST chown root:www $DEST DEST=/usr/local/etc/lighttpd/certs/le.pem cp $FULLCHAINFILE $DEST chmod 640 $DEST chown root:www $DEST service lighttpd restart # NOTE: Missing update of TLSA records! } chmod +x /usr/local/etc/dehydrated/hook.sh echo $CN $SAN > /usr/local/etc/dehydrated/domains.txt
Configure lighttpd
mkdir /usr/local/etc/lighttpd/certs $EDITOR /usr/local/etc/lighttpd/modules-dfri.conf # enable 'mod_alias' $EDITOR /usr/local/etc/lighttpd/lighttpd.conf $SERVER["socket"] == " { # NOTE: http, not https ... $HTTP["url"] =~ "/.well-known/acme-challenge/(.*)" { alias.url += ( "/.well-known/acme-challenge/" => "/usr/local/www/dehydrated/" ) } } service lighttpd restart
Run once and set up to run periodically
NOTE: If you're not super certain this will work, please test
using the LE staging environment, by editing config and set
CA="https://acme-staging.api.letsencrypt.org/directory"
dehydrated -c sysrc -f /etc/periodic.conf weekly_dehydrated_enable=YES
Example output
[root@len /usr/local/etc/dehydrated]# dehydrated -c
# INFO: Using main config file /usr/local/etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Processing dfri.se with alternative names: www.dfri.se
+ Signing domains...
+ Creating new directory /usr/local/etc/dehydrated/certs/dfri.se ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for dfri.se...
+ Requesting challenge for www.dfri.se...
+ Responding to challenge for dfri.se...
+ Challenge is valid!
+ Responding to challenge for www.dfri.se...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
Performing sanity check on lighttpd configuration:
Syntax OK
Stopping lighttpd.
Waiting for PIDS: 62048.
Starting lighttpd.
+ Done!