Projekt

Allgemein

Profil

Setup dehydrated » Historie » Version 2

Jeremias Keihsler, 28.07.2025 20:31

1 1 Jeremias Keihsler
h1. Install Procedure for dehydrated
2
3
h2. Requirements
4
5
To install logwatch you will need the following:
6
* a installed and supported operating system (e.g. CentOS 9.x)
7
* [[repo_epel|EPEL repository]]
8
* root-access
9
* a fast internet connection
10
11
h2. Preliminary Note
12
13
partly taken from: https://bob.gatsmas.de/let-s-encrypt-mit-nginx-und-dehydrated
14
the staging environment link is (as of 2021-09-22) https://acme-staging-v02.api.letsencrypt.org/directory
15
16
h2. Install 
17
18
Install @dehydrated@:
19
20
<pre><code class="shell">
21 2 Jeremias Keihsler
dnf install openssl curl sed grep mktemp
22
dnf install dehydrated
23 1 Jeremias Keihsler
</code></pre>
24
25
h2. Configure nginx
26
27
im http-Bereich (Port 80) des jeweiligen Servers
28
29
<pre><code class="shell">
30
location /.well-known/acme-challenge {
31
      alias /var/www/dehydrated;
32
}
33
</code></pre>
34
35
<pre><code class="shell">
36
mkdir -p /var/www/dehydrated
37
systemctl restart nginx
38
</code></pre>
39
40
h2. Test nginx
41
42
<pre><code class="shell">
43
echo "Test OK" > /var/www/dehydrated/test.html
44
</code></pre>
45
46
try to get the file from somewhere else
47
48
<pre><code class="shell">
49
curl http://subdomain.example.com/.well-known/acme-challenge/test.html
50
</code></pre>
51
52
h2. Configure dehydrated
53
54
add domains to @/etc/dehydrated/domains.txt@
55
56
<pre>
57
hostXX.example.com
58
</pre>
59
60
add contact-email-adr to @/etc/dehydrated/config@
61
62
<pre>
63
CONTACT_EMAIL=user@example.com
64
</pre>
65
66
h2. register with AMCE-Server (Let's Encrypt)
67
68
<pre><code class="shell">
69
dehydrated --register --accept-terms
70
</code></pre>
71
72
h2. get certs
73
74
<pre><code class="shell">
75
dehydrated -c
76
</code></pre>
77
78
force renew, regardless of age
79
80
<pre><code class="shell">
81
dehydrated -c -x
82
</code></pre>
83
84
h2. Configure nginx-ssl
85
86
<pre>
87
server {
88
        listen       443 ssl http2;
89
        listen       [::]:443 ssl http2;
90
        server_name  hostXX.example.com;
91
        root         /usr/share/nginx/html;
92
93
        #ssl_certificate "/etc/pki/nginx/server.crt";
94
        #ssl_certificate_key "/etc/pki/nginx/private/server.key";
95
        ssl_certificate "/etc/dehydrated/certs/hostXX.example.com/fullchain.pem";
96
        ssl_certificate_key "/etc/dehydrated/certs/hostXX.example.com/privkey.pem";
97
        ssl_session_cache shared:SSL:1m;
98
        ssl_session_timeout  10m;
99
        ssl_ciphers PROFILE=SYSTEM;
100
        ssl_prefer_server_ciphers on;
101
102
        # Load configuration files for the default server block.
103
        include /etc/nginx/default.d/*.conf;
104
105
        location / {
106
        }
107
108
        error_page 404 /404.html;
109
            location = /40x.html {
110
        }
111
112
        error_page 500 502 503 504 /50x.html;
113
            location = /50x.html {
114
        }
115
    }
116
</pre>
117
118
h2. issues/troubleshooting
119
120
h3. certs are renewed but nginx is not picking them up
121
122
restart nginx service
123
124
dehydrated is run as a static service and should invoke a restart-hook with nginx. 
125
It worked ok so far, I ran into this the first/only time 2022-03-22.