-
-
Save Nothing4You/ecbb69d2270e36bac88cfcab9cf736ef to your computer and use it in GitHub Desktop.
Set up LetsEncrypt using acme.sh without root on OpenBSD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Modified for OpenBSD | |
| # Assumes being root | |
| # Requires curl to be installed, wget can also be used, relevant commands need to be adjusted. acme.sh supports both. | |
| # Configured to use Cloudflare DNS for verification | |
| # How to use "acme.sh" to set up Lets Encrypt without root permissions | |
| # See https://github.com/Neilpang/acme.sh for more | |
| # This assumes that your website has a webroot at "/var/www/<domain>" | |
| # I'll use the domain "EXAMPLE.com" as an example | |
| # When this is done, there will be an "acme" user that handles issuing, | |
| # updating, and installing certificates. This account will have the following | |
| # (fairly minimal) permissions: | |
| # - Host files at http://EXAMPLE.com/.well-known/acme-challenge | |
| # - Copy certificates to /etc/nginx/auth-acme | |
| # - Reload your nginx server | |
| # First things first - create a user account for acme | |
| useradd -m -d /home/acme -s /sbin/nologin -g www acme | |
| chmod 700 /home/acme | |
| # Create a directory for the acme account to save certs in | |
| mkdir /etc/nginx/ssl | |
| chown acme.www /etc/nginx/ssl | |
| chmod 710 /etc/nginx/ssl | |
| # Also make sure the acme user has at least eXecute permissions on all parent | |
| # directories of this directory. This will generally be true by default. | |
| # Edit your doas.conf to allow the acme user to reload (not restart) nginx | |
| echo 'permit nopass acme cmd /etc/rc.d/nginx args reload' >> /etc/doas.conf | |
| # Now change to the ACME user - you'll do most of the rest of this guide as them | |
| su - -s /usr/local/bin/bash acme | |
| export HOME=/home/acme | |
| cd /home/acme | |
| # Install acme.sh | |
| curl -Lo acme.tar.gz https://github.com/Neilpang/acme.sh/archive/master.tar.gz | |
| tar xzvf acme.tar.gz | |
| cd acme.sh-master | |
| ./acme.sh --install | |
| # Add account email - optional | |
| echo "ACCOUNT_EMAIL='acme@example.com'" >> /home/acme/.acme.sh/account.conf | |
| # Add Cloudflare api details | |
| echo "SAVED_CF_Email='cloudflare@example.com'" >> /home/acme/.acme.sh/account.conf | |
| echo "SAVED_CF_Key='...'" >> /home/acme/.acme.sh/account.conf | |
| # Create script for easier certificate issuance - in this case I always | |
| # request example.com and www.example.com, just remove this if you don't | |
| # want www.example.com: -d 'www.$1' | |
| echo '#!/bin/sh' > /home/acme/acme-nginx | |
| echo '/home/acme/.acme.sh/acme.sh --issue --dns dns_cf -d "$1" -d "www.$1" && /home/acme/.acme.sh/acme.sh --installcert -d "$1" --fullchainpath "/etc/nginx/ssl/$1.pem" --keypath "/etc/nginx/ssl/$1.key" --capath "/etc/nginx/ssl/$1.ca" --reloadcmd "doas /etc/rc.d/nginx reload"' >> /home/acme/acme-nginx | |
| chmod +x /home/acme/acme-nginx | |
| # Create your first certificate (from here on is roughly what you'll repeat) | |
| /home/acme/acme-nginx example.com | |
| # Drop back to root | |
| exit | |
| # Now modify your nginx config to work with the new certs | |
| vi /etc/nginx/sites-enabled/EXAMPLE.com | |
| # Example SSL config section | |
| server { | |
| ... | |
| ssl_certificate /etc/nginx/ssl/EXAMPLE.com.crt; | |
| ssl_certificate_key /etc/nginx/ssl/EXAMPLE.com.key; | |
| ssl_trusted_certificate /etc/nginx/ssl/EXAMPLE.com.ca; | |
| ... | |
| } | |
| # Test nginx | |
| nginx -t | |
| # And reload if it worked | |
| /etc/rc.d/nginx reload | |
| # Congrats, you have letsencrypt and acme.sh isn't running as root on your box. | |
| # Don't forget to back up /home/acme/.acme.sh - it has your letsencrypt account keys! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment