Setup dehydrated » Historie » Revision 5
Revision 4 (Jeremias Keihsler, 22.09.2021 08:20) → Revision 5/7 (Jeremias Keihsler, 22.03.2022 08:51)
h1. Install Procedure for dehydrated
h2. Requirements
To install logwatch you will need the following:
* a installed and supported operating system (e.g. CentOS 8.x)
* [[repo_epel|EPEL repository]]
* root-access
* a fast internet connection
h2. Preliminary Note
partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated
the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory
h2. Install
Install @dehydrated@:
<pre><code class="shell">
yum install openssl curl sed grep mktemp
yum install dehydrated
</code></pre>
h2. Configure nginx
im http-Bereich (Port 80) des jeweiligen Servers
<pre><code class="shell">
location /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
</code></pre>
<pre><code class="shell">
mkdir -p /var/www/dehydrated
systemctl restart nginx
</code></pre>
h2. Test nginx
<pre><code class="shell">
echo "Test OK" > /var/www/dehydrated/test.html
</code></pre>
try to get the file from somewhere else
<pre><code class="shell">
curl http://subdomain.example.com/.well-known/acme-challenge/test.html
</code></pre>
h2. Configure dehydrated
add domains to @/etc/dehydrated/domains.txt@
<pre>
hostXX.example.com
</pre>
h2. register with AMCE-Server (Let's Encrypt)
<pre><code class="shell">
dehydrated --register --accept-terms
</code></pre>
h2. get certs
<pre><code class="shell">
dehydrated -c
</code></pre>
h2. Configure nginx-ssl
<pre>
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hostXX.example.com;
root /usr/share/nginx/html;
#ssl_certificate "/etc/pki/nginx/server.crt";
#ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem";
ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
</pre>
h2. issues/troubleshooting
h3. certs are renewed but nginx is not picking them up
restart nginx service
dehydrated is run as a static service and should invoke a restart-hook with nginx.
It worked ok so far, I ran into this the first/only time 2022-03-22.