DokuWiki » Infrastructure » Operating System » CentOS 9

h1. Install Procedure for dehydrated

h2. Requirements

To install logwatch you will need the following:

* a installed and supported operating system (e.g. CentOS 9.x)

* [[repo_epel|EPEL repository]]

* root-access

* a fast internet connection

h2. Preliminary Note

partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated

the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory

h2. Install 

Install @dehydrated@:

<pre><code class="shell">

dnf install openssl curl sed grep mktemp

dnf install dehydrated

</code></pre>

h2. Configure nginx

im http-Bereich (Port 80) des jeweiligen Servers

<pre><code class="shell">

location /.well-known/acme-challenge {

      alias /var/www/dehydrated;

}

</code></pre>

<pre><code class="shell">

mkdir -p /var/www/dehydrated

systemctl restart nginx

</code></pre>

h2. Test nginx

<pre><code class="shell">

echo "Test OK" > /var/www/dehydrated/test.html

</code></pre>

try to get the file from somewhere else

<pre><code class="shell">

curl http://subdomain.example.com/.well-known/acme-challenge/test.html

</code></pre>

h2. Configure dehydrated

add domains to @/etc/dehydrated/domains.txt@

<pre>

hostXX.example.com

</pre>

add contact-email-adr to @/etc/dehydrated/config@

<pre>

CONTACT_EMAIL=user@example.com

</pre>

h2. register with AMCE-Server (Let's Encrypt)

<pre><code class="shell">

dehydrated --register --accept-terms

</code></pre>

h2. get certs

<pre><code class="shell">

dehydrated -c

</code></pre>

force renew, regardless of age

<pre><code class="shell">

dehydrated -c -x

</code></pre>

h2. Configure nginx-ssl

<pre>

server {

        listen       443 ssl http2;

        listen       [::]:443 ssl http2;

        server_name  hostXX.example.com;

        root         /usr/share/nginx/html;

        #ssl_certificate "/etc/pki/nginx/server.crt";

        #ssl_certificate_key "/etc/pki/nginx/private/server.key";

        ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem";

        ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem";

        ssl_session_cache shared:SSL:1m;

        ssl_session_timeout  10m;

        ssl_ciphers PROFILE=SYSTEM;

        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;

        location / {

        }

        error_page 404 /404.html;

            location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;

            location = /50x.html {

        }

    }

</pre>

h2. issues/troubleshooting

h3. certs are renewed but nginx is not picking them up

restart nginx service

dehydrated is run as a static service and should invoke a restart-hook with nginx. 

It worked ok so far, I ran into this the first/only time 2022-03-22.