dfri/ sysadm/ le

LetsEncrypt on len.dfri.se

Install package

pkg install dehydrated

Variables

export CONTACT=hostmaster@dfri.se export CN=dfri.se SAN=www.dfri.se

Configure dehydrated

cat /usr/local/etc/dehydrated/config.example | sed -e 's|#HOOK=|HOOK=${BASEDIR}/hook.sh|1' -e "s/#CONTACT_EMAIL=/CONTACT_EMAIL=${CONTACT}/1" > /usr/local/etc/dehydrated/config cp /usr/local/etc/dehydrated/hook.sh.example /usr/local/etc/dehydrated/hook.sh $EDITOR /usr/local/etc/dehydrated/hook.sh # replace deploy_cert(): function deploy_cert { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" DEST=/usr/local/etc/lighttpd/certs/${DOMAIN}.pem cat $KEYFILE $CERTFILE $CHAINFILE > $DEST chmod 640 $DEST chown root:www $DEST DEST=/usr/local/etc/lighttpd/certs/le.pem cp $FULLCHAINFILE $DEST chmod 640 $DEST chown root:www $DEST service lighttpd restart # NOTE: Missing update of TLSA records! } chmod +x /usr/local/etc/dehydrated/hook.sh echo $CN $SAN > /usr/local/etc/dehydrated/domains.txt

Configure lighttpd

mkdir /usr/local/etc/lighttpd/certs $EDITOR /usr/local/etc/lighttpd/modules-dfri.conf # enable 'mod_alias' $EDITOR /usr/local/etc/lighttpd/lighttpd.conf $SERVER["socket"] == " { # NOTE: http, not https ... $HTTP["url"] =~ "/.well-known/acme-challenge/(.*)" { alias.url += ( "/.well-known/acme-challenge/" => "/usr/local/www/dehydrated/" ) } } service lighttpd restart

Run once and set up to run periodically

NOTE: If you're not super certain this will work, please test

using the LE staging environment, by editing config and set

CA="https://acme-staging.api.letsencrypt.org/directory"

dehydrated -c sysrc -f /etc/periodic.conf weekly_dehydrated_enable=YES

Example output

[root@len /usr/local/etc/dehydrated]# dehydrated -c
# INFO: Using main config file /usr/local/etc/dehydrated/config
 + Generating account key...
 + Registering account key with ACME server...
Processing dfri.se with alternative names: www.dfri.se
 + Signing domains...
 + Creating new directory /usr/local/etc/dehydrated/certs/dfri.se ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for dfri.se...
 + Requesting challenge for www.dfri.se...
 + Responding to challenge for dfri.se...
 + Challenge is valid!
 + Responding to challenge for www.dfri.se...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Performing sanity check on lighttpd configuration:
Syntax OK
Stopping lighttpd.
Waiting for PIDS: 62048.
Starting lighttpd.
 + Done!