 |
---------------------------------------- |
|
acme.sh shenanigans |
|
March 29th, 2018 |
|
---------------------------------------- |
|
|
|
These are notes to myself on how I finally got acme.sh and nginx |
|
to play nice. |
|
|
|
|
|
Step 1: Generate a cert |
|
|
|
I'm using the namesilo api method here, so this part is simple. |
|
|
|
acme.sh --issue --dns dns_namesilo --dnssleep 900 -d tomasino.org |
|
-d www.tomasino.org -w /var/www |
|
|
|
Step 2: Create a place to put those certs |
|
|
|
This part was a struggle. Since acme.sh doesn't need root to run, |
|
so I wasn't sure where to go. Eventually I settled on creating |
|
a directory at /etc/nginx/acme.sh/domain/ and changed ownership to |
|
www-data:www-data. I'm a member of that group and nginx works with |
|
that too, so it should be good. |
|
|
|
Step 3: Install the certs |
|
|
|
This is poorly documented pretty much everywhere. It will pull the |
|
files from the .acme.sh directory in your home folder and put them |
|
wherever you define here. The reload command will run as root, so |
|
you don't need to specify sudo. |
|
|
|
acme.sh --install-cert -d tomasino.org --key-file |
|
/etc/nginx/acme.sh/tomasino.org/key.pem --cert-file |
|
/etc/nginx/acme.sh/tomasino.org/cert.pem --fullchain-file |
|
/etc/nginx/acme.sh/tomasino.org/fullchain.pem --reloadcmd |
|
"service nginx force-reload" |
|
|
|
Step 4: Set up the nginx configuration |
|
|
|
First, a server directive on port 80 that just redirects to the |
|
ssl version. |
|
|
|
Second, listen on 443, add a bunch of headers, set up ssl |
|
protocols, ciphers, link to the cert, key, and trusted cert |
|
(fullchain). Etc, etc... |
|
|
|
Step 5: Restart/Start nginx |
|
|
|
Hopefully it doesn't crap out on you like it did for me 5,000 |
|
times. |
