alpine/alpine-wiki
1
0
Fork 0
mirror of https://codeberg.org/alpine/alpine-wiki.git synced 2023-08-25 13:53:16 +02:00
Code Issues Projects Releases Wiki Activity
4d7e63ca7d
alpine-wiki/documents/guide-only-dehydrated.md

231 lines
6.2 KiB
Markdown
Raw Normal View History

alpine tutorials - fast forwaard guide dehydrated for lest encryp * this guide uses "venenux.com" as domian examle, change as need * you must need a DNS setup for each domain
2022-08-25 21:36:43 +02:00
## dehydrated
**Ultra simple letsencrypt/acme client** implemented as a shell-script - *just add water* 😆
#### features
**PROS**
* multi domain
* using webservers
* full setup
**CONS**
* no package usage, direct provider upstream
* just commands no explanations
* only http-01 methods
#### requirements
* the domain (here we use venenux.com) must has valid DNS
* alpine must be 3.8+ recomended 3.10 or 3.12
#### instalation
```
apk del acme.sh
apk add openssl curl wget bash
wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated -O /usr/bin/dehydrated
chmod 755 /usr/bin/dehydrated
```
#### main configuration
```
mkdir -p /etc/dehydrated/
cat > /etc/dehydrated/config << EOF
CONFIG_D=/etc/dehydrated/conf.d
BASEDIR=/var/lib/dehydrated
WELLKNOWN="\${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
EOF
mkdir -p /etc/dehydrated/conf.d
cat > /etc/dehydrated/domains.txt << EOF
venenux.com www.venenux.com altern.venenux.com
EOF
cat > /etc/dehydrated/conf.d/00_defaultaccount.sh << EOF
CONTACT_EMAIL="mckaygerhard@venenux.com"
EOF
mkdir -p /var/lib/dehydrated/certs
mkdir -p /var/lib/dehydrated/acme-challenges/
mkdir -p /var/lib/dehydrated/hooks.d
cat > /var/lib/dehydrated/hooks.sh << EOF
#!/bin/bash
for file in /var/lib/dehydrated/hooks.d/*
do
if [ -f "\${file}" ]; then
\${file} "\$@"
fi
done
EOF
chmod +x /var/lib/dehydrated/hooks.sh
mkdir /etc/dehydrated/conf.d/
cat > /etc/dehydrated/conf.d/01_defaulthooks.sh << EOF
HOOK="/var/lib/dehydrated/hooks.sh"
EOF
/usr/bin/dehydrated --register --accept-terms --challenge http-01
```
#### initial cert file
```
mkdir -p /etc/ssl/certs/
openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
-subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=localhost" \
-keyout /etc/ssl/certs/localhost.pem -out /etc/ssl/certs/localhost.pem
chmod 640 /etc/ssl/certs/localhost.pem
chown root:www-data /etc/ssl/certs/localhost.pem
cp /etc/ssl/certs/localhost.pem /etc/ssl/certs/venenux.com.pem
```
#### setup for lighttpd
```
apk add lighttpd
sed -i -r 's#alias.url =#alias.url +=#g' /etc/lighttpd/mod_cgi.conf
cat > /etc/lighttpd/mod_dehydrated.conf << EOF
alias.url += (
"/.well-known/acme-challenge/" => "/var/lib/dehydrated/acme-challenges/",
)
EOF
itawxrc="";itawxrc=$(grep 'include "mod_dehydrated.conf' /etc/lighttpd/lighttpd.conf);[[ "$itawxrc" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_dehydrated.conf"#g' /etc/lighttpd/lighttpd.conf
rc-service lighttpd restart
cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$HTTP["scheme"] == "http" {
\$HTTP["host"] =~ ".*" {
url.redirect += (".*" => "https://%0\$0")
}
}
\$SERVER["socket"] == "0.0.0.0:443" {
include "mod_ssl_conf.conf"
}
\$SERVER["socket"] == "[::]:443" {
server.use-ipv6 = "enable"
include "mod_ssl_conf.conf"
}
EOF
cat > mod_ssl_conf.conf << EOF
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/localhost.pem"
\$HTTP["host"] =~ "(^other|www\.venenux.com)" {
ssl.pemfile = "/etc/ssl/certs/venenux.com.pem"
}
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
EOF
rc-service lighttpd restart
```
#### setup for apache2
#### periodic updates
```
rm /etc/periodic/*/dehydrated*
cat > /etc/periodic/monthly/dehydrated << EOF
#!/bin/bash
/usr/bin/dehydrated --cleanup
/usr/bin/dehydrated -x --cron --challenge http-01 --force
cp -f /var/lib/dehydrated/certs/venenux.com/combined.pem /etc/ssl/certs/venenux.com.pem
chmod 640 /etc/ssl/certs/venenux.com.pem
chown root:www-data /etc/ssl/certs/venenux.com.pem
/sbin/service lighttpd restart
/sbin/service nginx restart
/sbin/service apache2 restart
EOF
chmod 755 /etc/periodic/monthly/dehydrated
```
#### executing and testing
```
/etc/periodic/monthly/dehydrated
```
### Anexes : combined pem hook
```
#!/usr/bin/env bash
deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
echo "Executing deploy_cert hook $0"
echo " + Creating combined.pem (a combined privkey.pem + cert.pem)"
cd "$(dirname "${CERTFILE}")" && {
cat "${KEYFILE}" "${CERTFILE}" > "combined-${TIMESTAMP}.pem" && \
ln -sf "combined-${TIMESTAMP}.pem" "combined.pem" && {
# Loop over all files of this type
for filename in "combined-"*".pem"; do
# Check if current file is in use, remove if unused
if [[ ! "${filename}" = "combined-${TIMESTAMP}.pem" ]]; then
echo " + Removing unused combined certificate file: ${filename}"
rm "${filename}"
fi
done
}
}
}
HANDLER="$1"; shift
if [[ "${HANDLER}" = "deploy_cert" ]]; then
"$HANDLER" "$@"
fi
tutorial - fix apache2 port config missing
2022-08-26 23:22:45 +02:00
```
## see also
- 🗯 IRC
- 💬 `##alpine_telegram_english`
- 💬 `#alpine_linux_english`
- 📱 Telegram https://t.me/alpine_linux
- 🇬🇧 https://t.me/alpine_linux_english
- 🇷🇺 https://t.me/alpine_linux_pycckuu (dual english russian, low activity)
- 🇨🇴 https://t.me/alpine_linux_espanol
- 🇧🇬 https://t.me/alpine_linux_bulgarian (dual english bulgarian, low activity)
- 🇨🇳 https://t.me/alpine_linux_chinese (dual english chinese, low activity)
- 📡 https://t.me/opentechnologies (open languajes but english as main)
- Matrix
- 👥 https://matrix.to/#/#alpine-linux-english:matrix.org
# LICENSE
**CC BY-NC-SA**: the project allows reusers to distribute, remix, adapt, and build upon the material
in any medium or format for noncommercial purposes only, and only so long as attribution is given
to the creators involved. If you remix, adapt, or build upon the material, you must license the modified
material under identical terms, includes the following elements:
* **BY** Credit must be given to the creator of each content respectivelly, starting at the first contributor.
* **NC** Only noncommercial uses of the work are permitted, with exceptions if you fill an issue here!
* **SA** Adaptations must be shared under the same terms, you must obey this terms and do not change it.
For more information check the [alpine/copyright.md](../../alpine/copyright.md)
Reference in New Issue Copy Permalink