Version 7 - Historie - Setup dehydrated - CentOS 8 - OMB Redmine

Setup dehydrated » Historie » Version 7

Jeremias Keihsler, 20.09.2023 08:24

-Jeremias Keihsler
+h1. Install Procedure for dehydrated
 h2. Requirements
 To install logwatch you will need the following:
 * a installed and supported operating system (e.g. CentOS 8.x)
 * [[repo_epel|EPEL repository]]
 * root-access
 * a fast internet connection
 h2. Preliminary Note
-Jeremias Keihsler
+partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated
-Jeremias Keihsler
+the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory
 Jeremias Keihsler
-Jeremias Keihsler
+h2. Install
 Jeremias Keihsler
-Jeremias Keihsler
+Install @dehydrated@:
 Jeremias Keihsler
-Jeremias Keihsler
+<pre><code class="shell">
 yum install openssl curl sed grep mktemp
-Jeremias Keihsler
+yum install dehydrated
 </code></pre>
 Jeremias Keihsler
-Jeremias Keihsler
+h2. Configure nginx
 Jeremias Keihsler
-Jeremias Keihsler
+im http-Bereich (Port 80) des jeweiligen Servers
 Jeremias Keihsler
-Jeremias Keihsler
+<pre><code class="shell">
 location /.well-known/acme-challenge {
       alias /var/www/dehydrated;
+}
-Jeremias Keihsler
+</code></pre>
 Jeremias Keihsler
 <pre><code class="shell">
 mkdir -p /var/www/dehydrated
 systemctl restart nginx
 </code></pre>
 h2. Test nginx
 <pre><code class="shell">
 echo "Test OK" > /var/www/dehydrated/test.html
 </code></pre>
 try to get the file from somewhere else
 <pre><code class="shell">
 curl http://subdomain.example.com/.well-known/acme-challenge/test.html
 </code></pre>
 h2. Configure dehydrated
 add domains to @/etc/dehydrated/domains.txt@
-Jeremias Keihsler
+<pre>
-Jeremias Keihsler
+hostXX.example.com
 </pre>
 Jeremias Keihsler
-Jeremias Keihsler
+add contact-email-adr to @/etc/dehydrated/config@
 <pre>
 CONTACT_EMAIL=user@example.com
 </pre>
-Jeremias Keihsler
+h2. register with AMCE-Server (Let's Encrypt)
 <pre><code class="shell">
 dehydrated --register --accept-terms
 </code></pre>
 h2. get certs
 <pre><code class="shell">
 dehydrated -c
 </code></pre>
-Jeremias Keihsler
+force renew, regardless of age
 <pre><code class="shell">
 dehydrated -c -x
 </code></pre>
-Jeremias Keihsler
+h2. Configure nginx-ssl
 <pre>
 server {
         listen       443 ssl http2;
         listen       [::]:443 ssl http2;
         server_name  hostXX.example.com;
         root         /usr/share/nginx/html;
         #ssl_certificate "/etc/pki/nginx/server.crt";
         #ssl_certificate_key "/etc/pki/nginx/private/server.key";
         ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem";
         ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem";
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout  10m;
         ssl_ciphers PROFILE=SYSTEM;
         ssl_prefer_server_ciphers on;
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
         location / {
+        }
         error_page 404 /404.html;
             location = /40x.html {
+        }
         error_page 500 502 503 504 /50x.html;
             location = /50x.html {
+        }
+    }
-Jeremias Keihsler
+</pre>
 Jeremias Keihsler
 h2. issues/troubleshooting
 h3. certs are renewed but nginx is not picking them up
 restart nginx service
 dehydrated is run as a static service and should invoke a restart-hook with nginx.
 It worked ok so far, I ran into this the first/only time 2022-03-22.

Projekt

Allgemein

Profil

DokuWiki » Infrastructure » Operating System » CentOS 8

Setup dehydrated » Historie » Version 7