1. Letsencrypt/dehydrated
| /DNS-01 /www.qmail.jpの証明書 |
https://github.com/lukas2511/dehydrated
1.1. 基本は証明書の入手まで
/www.qmail.jpの証明書を入手してみる。
入手後の証明書を配備する方法の説明は見当たらない。-- ToshinoriMaeno 2019-01-25 13:40:40
- acme.shを参照するのがよさそう。
---
letsencrypt/acme client implemented as a shell-script – just add water https://dehydrated.io
Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...
Default command: help
Commands:
--version (-v) Print version information --register Register account key --account Update account contact information --cron (-c) Sign/renew non-existent/changed/expiring certificates. --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage) --revoke (-r) path/to/cert.pem Revoke specified certificate --cleanup (-gc) Move unused certificate files to archive directory --help (-h) Show help text --env (-e) Output configuration variables for use in other scripts
1.2. 解説
https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/
この解説に従うのは面倒です。-- ToshinoriMaeno 2019-01-20 12:33:57
http-01 verification : 「普通のwebサーバー(nginxなど)」を動かしているなら楽かも。
If you only have one docroot on your server, you could easily do something like WELLKNOWN=/var/www/.well-known/acme-challenge for anything else look at the example below.
Nginx example config
原作者の説明はそっけないし。
Lighttpd example config
With Lighttpd just add this to your config, and it should work in any VHost:
modules += "alias"
alias.url += (
"/.well-known/acme-challenge/" => "/var/www/dehydrated/"
)
1.3. DNS challenge
DNSに慣れているなら、こっち/DNS-01が簡単だろう。
dns-01 challenge This script also supports the new dns-01-type verification. This type of verification requires you to be able to create a specific TXT DNS record for each hostname included in the certificate. You need a hook script that deploys the challenge to your DNS server! The hook script (indicated in the config file or the –hook/-k command line argument) gets four arguments: an operation name (clean_challenge, deploy_challenge, or deploy_cert) and some operands for that. For deploy_challenge $2 is the domain name for which the certificate is required, $3 is a “challenge token” (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain.
1.4. wildcard
https://erdgeist.org/posts/2018/wild-wild-certs.html
1.5. Just add water
https://erdgeist.org/posts/2017/just-add-water.html
Finally, you need to add the actual code to your hooks. I just modified the file hook.sh in /usr/local/etc/dehydrated/ to read in the deploy_challenge() { function
printf "\'_acme-challenge.%s:%s:120\n" ${DOMAIN} ${TOKEN_VALUE} >> /etc/tinydns/root/data
cd /etc/tinydns/root/
tinydns-data > /etc/tinydns/root/data.cdband for later cleanup in the clean_challenge() { function I added
sed -E -i '' '/_acme-challenge/d' /etc/tinydns/root/data cd /etc/tinydns/root/ tinydns-data > /etc/tinydns/root/data.cdb
1.6. config
以下の順に探す。
/etc/dehydrated/config
/usr/local/etc/dehydrated/config
The current working directory of your shell
The directory from which dehydrated was run