Aktionen
Install Procedure for dehydrated¶
Requirements¶
To install logwatch you will need the following:- a installed and supported operating system (e.g. CentOS 8.x)
- EPEL repository
- root-access
- a fast internet connection
Preliminary Note¶
partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated
the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory
Install¶
Install dehydrated
:
yum install openssl curl sed grep mktemp
yum install dehydrated
Configure nginx¶
im http-Bereich (Port 80) des jeweiligen Servers
location /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
mkdir -p /var/www/dehydrated
systemctl restart nginx
Test nginx¶
echo "Test OK" > /var/www/dehydrated/test.html
try to get the file from somewhere else
curl http://subdomain.example.com/.well-known/acme-challenge/test.html
Configure dehydrated¶
add domains to /etc/dehydrated/domains.txt
hostXX.example.com
add contact-email-adr to /etc/dehydrated/config
CONTACT_EMAIL=user@example.com
register with AMCE-Server (Let's Encrypt)¶
dehydrated --register --accept-terms
get certs¶
dehydrated -c
force renew, regardless of age
dehydrated -c -x
Configure nginx-ssl¶
server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name hostXX.example.com; root /usr/share/nginx/html; #ssl_certificate "/etc/pki/nginx/server.crt"; #ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem"; ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers PROFILE=SYSTEM; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
issues/troubleshooting¶
certs are renewed but nginx is not picking them up¶
restart nginx service
dehydrated is run as a static service and should invoke a restart-hook with nginx.
It worked ok so far, I ran into this the first/only time 2022-03-22.
Von Jeremias Keihsler vor mehr als 1 Jahr aktualisiert · 7 Revisionen