Setup dehydrated » Historie » Version 5
Jeremias Keihsler, 22.03.2022 08:51
1 | 2 | Jeremias Keihsler | h1. Install Procedure for dehydrated |
---|---|---|---|
2 | |||
3 | h2. Requirements |
||
4 | |||
5 | To install logwatch you will need the following: |
||
6 | * a installed and supported operating system (e.g. CentOS 8.x) |
||
7 | * [[repo_epel|EPEL repository]] |
||
8 | * root-access |
||
9 | * a fast internet connection |
||
10 | |||
11 | h2. Preliminary Note |
||
12 | |||
13 | 3 | Jeremias Keihsler | partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated |
14 | 4 | Jeremias Keihsler | the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory |
15 | 3 | Jeremias Keihsler | |
16 | 2 | Jeremias Keihsler | h2. Install |
17 | 1 | Jeremias Keihsler | |
18 | 3 | Jeremias Keihsler | Install @dehydrated@: |
19 | 1 | Jeremias Keihsler | |
20 | 3 | Jeremias Keihsler | <pre><code class="shell"> |
21 | yum install openssl curl sed grep mktemp |
||
22 | 1 | Jeremias Keihsler | yum install dehydrated |
23 | </code></pre> |
||
24 | 2 | Jeremias Keihsler | |
25 | 3 | Jeremias Keihsler | h2. Configure nginx |
26 | 1 | Jeremias Keihsler | |
27 | 3 | Jeremias Keihsler | im http-Bereich (Port 80) des jeweiligen Servers |
28 | 1 | Jeremias Keihsler | |
29 | 3 | Jeremias Keihsler | <pre><code class="shell"> |
30 | location /.well-known/acme-challenge { |
||
31 | alias /var/www/dehydrated; |
||
32 | } |
||
33 | 1 | Jeremias Keihsler | </code></pre> |
34 | 3 | Jeremias Keihsler | |
35 | <pre><code class="shell"> |
||
36 | mkdir -p /var/www/dehydrated |
||
37 | systemctl restart nginx |
||
38 | </code></pre> |
||
39 | |||
40 | h2. Test nginx |
||
41 | |||
42 | <pre><code class="shell"> |
||
43 | echo "Test OK" > /var/www/dehydrated/test.html |
||
44 | </code></pre> |
||
45 | |||
46 | try to get the file from somewhere else |
||
47 | |||
48 | <pre><code class="shell"> |
||
49 | curl http://subdomain.example.com/.well-known/acme-challenge/test.html |
||
50 | </code></pre> |
||
51 | |||
52 | h2. Configure dehydrated |
||
53 | |||
54 | add domains to @/etc/dehydrated/domains.txt@ |
||
55 | |||
56 | 1 | Jeremias Keihsler | <pre> |
57 | 3 | Jeremias Keihsler | hostXX.example.com |
58 | </pre> |
||
59 | 1 | Jeremias Keihsler | |
60 | 3 | Jeremias Keihsler | h2. register with AMCE-Server (Let's Encrypt) |
61 | |||
62 | <pre><code class="shell"> |
||
63 | dehydrated --register --accept-terms |
||
64 | </code></pre> |
||
65 | |||
66 | h2. get certs |
||
67 | |||
68 | <pre><code class="shell"> |
||
69 | dehydrated -c |
||
70 | </code></pre> |
||
71 | |||
72 | h2. Configure nginx-ssl |
||
73 | |||
74 | <pre> |
||
75 | server { |
||
76 | listen 443 ssl http2; |
||
77 | listen [::]:443 ssl http2; |
||
78 | server_name hostXX.example.com; |
||
79 | root /usr/share/nginx/html; |
||
80 | |||
81 | #ssl_certificate "/etc/pki/nginx/server.crt"; |
||
82 | #ssl_certificate_key "/etc/pki/nginx/private/server.key"; |
||
83 | ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem"; |
||
84 | ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem"; |
||
85 | ssl_session_cache shared:SSL:1m; |
||
86 | ssl_session_timeout 10m; |
||
87 | ssl_ciphers PROFILE=SYSTEM; |
||
88 | ssl_prefer_server_ciphers on; |
||
89 | |||
90 | # Load configuration files for the default server block. |
||
91 | include /etc/nginx/default.d/*.conf; |
||
92 | |||
93 | location / { |
||
94 | } |
||
95 | |||
96 | error_page 404 /404.html; |
||
97 | location = /40x.html { |
||
98 | } |
||
99 | |||
100 | error_page 500 502 503 504 /50x.html; |
||
101 | location = /50x.html { |
||
102 | } |
||
103 | } |
||
104 | 2 | Jeremias Keihsler | </pre> |
105 | 5 | Jeremias Keihsler | |
106 | h2. issues/troubleshooting |
||
107 | |||
108 | h3. certs are renewed but nginx is not picking them up |
||
109 | |||
110 | restart nginx service |
||
111 | |||
112 | dehydrated is run as a static service and should invoke a restart-hook with nginx. |
||
113 | It worked ok so far, I ran into this the first/only time 2022-03-22. |