DokuWiki » Infrastructure » Operating System » CentOS 8

Wiki » Setup »

Setup dehydrated » Historie » Revision 5

Revision 4 (Jeremias Keihsler, 22.09.2021 08:20) → Revision 5/7 (Jeremias Keihsler, 22.03.2022 08:51)

h1. Install Procedure for dehydrated 

 h2. Requirements 

 To install logwatch you will need the following: 
 * a installed and supported operating system (e.g. CentOS 8.x) 
 * [[repo_epel|EPEL repository]] 
 * root-access 
 * a fast internet connection 

 h2. Preliminary Note 

 partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated 
 the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory 

 h2. Install  

 Install @dehydrated@: 

 <pre><code class="shell"> 
 yum install openssl curl sed grep mktemp 
 yum install dehydrated 
 </code></pre> 

 h2. Configure nginx 

 im http-Bereich (Port 80) des jeweiligen Servers 

 <pre><code class="shell"> 
 location /.well-known/acme-challenge { 
       alias /var/www/dehydrated; 
 } 
 </code></pre> 

 <pre><code class="shell"> 
 mkdir -p /var/www/dehydrated 
 systemctl restart nginx 
 </code></pre> 

 h2. Test nginx 

 <pre><code class="shell"> 
 echo "Test OK" > /var/www/dehydrated/test.html 
 </code></pre> 

 try to get the file from somewhere else 

 <pre><code class="shell"> 
 curl http://subdomain.example.com/.well-known/acme-challenge/test.html 
 </code></pre> 

 h2. Configure dehydrated 

 add domains to @/etc/dehydrated/domains.txt@ 

 <pre> 
 hostXX.example.com 
 </pre> 

 h2. register with AMCE-Server (Let's Encrypt) 

 <pre><code class="shell"> 
 dehydrated --register --accept-terms 
 </code></pre> 

 h2. get certs 

 <pre><code class="shell"> 
 dehydrated -c 
 </code></pre> 

 h2. Configure nginx-ssl 

 <pre> 
 server { 
         listen         443 ssl http2; 
         listen         [::]:443 ssl http2; 
         server_name    hostXX.example.com; 
         root           /usr/share/nginx/html; 

         #ssl_certificate "/etc/pki/nginx/server.crt"; 
         #ssl_certificate_key "/etc/pki/nginx/private/server.key"; 
         ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem"; 
         ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem"; 
         ssl_session_cache shared:SSL:1m; 
         ssl_session_timeout    10m; 
         ssl_ciphers PROFILE=SYSTEM; 
         ssl_prefer_server_ciphers on; 

         # Load configuration files for the default server block. 
         include /etc/nginx/default.d/*.conf; 

         location / { 
         } 

         error_page 404 /404.html; 
             location = /40x.html { 
         } 

         error_page 500 502 503 504 /50x.html; 
             location = /50x.html { 
         } 
     } 
 </pre> 

 h2. issues/troubleshooting 

 h3. certs are renewed but nginx is not picking them up 

 restart nginx service 

 dehydrated is run as a static service and should invoke a restart-hook with nginx.  
 It worked ok so far, I ran into this the first/only time 2022-03-22.