Знакомимся с ПО
https://dehydrated.io/, внимательно читаем мануал, что может и что делает.
Пример реализации.
1. создаем пользователя le1.
le:x:1001:1001::/opt/le:/bin/bash
1.
2.
git clone https://github.com/lukas2511/dehydrated.git /opt/dehydrated/
git pull origin master
Соответственно, не забывать, чтобы владельцем был пользователь le
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
root@srv-adm:~# ls -la /opt/le/letsencrypt/
total 156
drwxr-xr-x 7 le le 4096 Jun 3 01:00 .
drwxr-xr-x 4 le le 4096 Mar 27 2018 ..
drwx------ 3 le le 4096 Mar 22 2018 accounts
drwxr-xr-x 2 le le 4096 Mar 22 2018 .acme-challenges
drwx------ 7 le le 4096 May 4 2018 certs
drwx------ 7 le le 4096 Apr 14 2018 certs_rsa
drwx------ 2 le le 4096 Mar 22 2018 chains
-rw-r--r-- 1 root root 4494 May 4 2018 config
-rw-r--r-- 1 root root 4489 Mar 22 2018 config.bak_20180504
-rw-r--r-- 1 root root 4322 Mar 22 2018 config.default
-rw-r--r-- 1 root root 1644 Mar 22 2018 config.params.diff
-rwxr-xr-x 1 root root 64367 Mar 22 2018 dehydrated
-rw-r--r-- 1 root root 5661 Mar 22 2018 dehydrated.1
-rw-r--r-- 1 root root 140 Apr 13 2018 domains.txt
-rw-r--r-- 1 root root 73 Mar 22 2018 domains.txt.default
-rwxr-xr-x 1 avkoudinov avkoudinov 1092 Mar 22 2018 hook_regru_le.pl
-rwxr-xr-x 1 avkoudinov avkoudinov 6687 Jan 10 12:05 hook.sh
-rw-r--r-- 1 avkoudinov avkoudinov 6072 Mar 16 2018 hook.sh.default
Ключевые моменты:
1.
2.
3.
- DEHYDRATED_USER="le"
- DEHYDRATED_USER="le"
- CHALLENGETYPE="dns-01"
я использую верификацию через dns, вызывается скрипт, через api добавляет TXT запись, после проверки запись удаляется. Мой регистратор REG.RU предоставляет api к DNS. Можно и через http. Тогда скрипт создаёт временные файлы локально, происходит верификация, файлы удаляются.
алгоритм шифрования
1.
- CONTACT_EMAIL="avkoudinov@gmail.com"
учётная запись в letsencrypt
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
root@srv-adm:/opt/le/letsencrypt# cat config
########################################################
# This is the main config file for dehydrated #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
########################################################
# Which user should dehydrated run as? This will be implictly enforced when running as root
#DEHYDRATED_USER=
DEHYDRATED_USER="le"
# Which group should dehydrated run as? This will be implictly enforced when running as root
#DEHYDRATED_GROUP=
DEHYDRATED_GROUP="le"
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
#IP_VERSION=
IP_VERSION="4"
# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
#CA="https://acme-v02.api.letsencrypt.org/directory"
# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
# default: https://acme-v01.api.letsencrypt.org/directory
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
# Which challenge should be used? Currently http-01 and dns-01 are supported
#CHALLENGETYPE="http-01"
CHALLENGETYPE="dns-01"
# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=
# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
#BASEDIR=$SCRIPTDIR
# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
#DOMAINS_TXT="${BASEDIR}/domains.txt"
# Output directory for generated certificates
#CERTDIR="${BASEDIR}/certs"
# Directory for account keys and registration information
#ACCOUNTDIR="${BASEDIR}/accounts"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
#WELLKNOWN="/var/www/dehydrated"
WELLKNOWN="/opt/le/letsencrypt/.acme-challenges"
# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"
# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=
# Path to OpenSSL binary (default: "openssl")
#OPENSSL="openssl"
# Extra options passed to the curl binary (default: <unset>)
#CURL_OPTS=
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate (default: 30)
#RENEW_DAYS="30"
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
#PRIVATE_KEY_RENEW="yes"
# Create an extra private key for rollover (default: no)
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
KEY_ALGO=secp384r1
# E-mail to use during the registration (default: <unset>)
#CONTACT_EMAIL=
CONTACT_EMAIL="avkoudinov@gmail.com"
# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
#LOCKFILE="${BASEDIR}/lock"
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses (default: no)
#OCSP_FETCH="no"
# Issuer chain cache directory (default: $BASEDIR/chains)
#CHAINCACHE="${BASEDIR}/chains"
# Automatic cleanup (default: no)
#AUTO_CLEANUP="no"
# ACME API version (default: auto)
#API=auto
root@srv-adm:/opt/le/letsencrypt#
(для домена и поддоменов, например)
1.
2.
itwrks.org *.itwrks.org
privateperson.net *.privateperson.net
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
root@srv-adm:/opt/le/letsencrypt# cat hook_regru_le.pl
#!/usr/bin/env perl
#
# cpanm Regru::API
use Regru::API;
use Data::Printer;
my ($hook_stage, $domain, $txt_challenge) = @ARGV;
if (not defined $hook_stage) {
die "Need hook_stage.\n";
};
if (not defined $domain) {
die "Need domain.\n";
};
if (not defined $txt_challenge) {
die "Need txt_challenge.\n";
};
my $username = "";
my $password = "";
my $client = Regru::API->new(
username => "$username",
password => "$password",
);
sub addTXT {
my $resp = $client->zone->add_txt(
subdomain => '_acme-challenge',
domain_name => "$domain",
text => "$txt_challenge",
);
p $resp;
}
sub delTXT {
my $respDel = $client->zone->remove_record(
domains => [
{ dname => "$domain" },
],
subdomain => '_acme-challenge',
record_type => 'TXT',
content => "$txt_challenge",
);
p $resp;
}
if ($hook_stage eq 'deploy_challenge') {
addTXT();
} elsif ($hook_stage eq 'clean_challenge') {
delTXT();
} else {
die "No hook challenge.\n";
}
root@srv-adm:/opt/le/letsencrypt#
Я добавил следующие строчки для ссвой конфигурации, у меня сертификаты копируются на шару /opt/certs и после обновления сертификаты перезапускается nginx файловера.
1.
2.
3.
cp "${KEYFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" /opt/certs/"${DOMAIN}"/
ssh -i ~/.ssh/le_ecdsa root@nginx1.itworks "systemctl reload nginx"
ssh -i ~/.ssh/le_ecdsa root@nginx2.itworks "systemctl reload nginx"
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
125.
126.
127.
128.
129.
130.
131.
132.
133.
134.
135.
136.
137.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147.
148.
149.
150.
151.
152.
153.
154.
155.
156.
157.
158.
159.
160.
161.
162.
163.
164.
165.
166.
167.
168.
169.
170.
171.
172.
173.
174.
175.
176.
root@srv-adm:/opt/le/letsencrypt# cat hook.sh
#!/usr/bin/env bash
deploy_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called once for every domain that needs to be
# validated, including any alternative names you may have listed.
#
# Parameters:
# - DOMAIN
# The domain name (CN or subject alternative name) being
# validated.
# - TOKEN_FILENAME
# The name of the file containing the token to be served for HTTP
# validation. Should be served by your web server as
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
# - TOKEN_VALUE
# The token value that needs to be served for validation. For DNS
# validation, this is what you want to put in the _acme-challenge
# TXT record. For HTTP validation it is the value that is expected
# be found in the $TOKEN_FILENAME file.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
/opt/le/letsencrypt/hook_regru_le.pl deploy_challenge ${DOMAIN} ${TOKEN_VALUE}
}
clean_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called after attempting to validate each domain,
# whether or not validation was successful. Here you can delete
# files or DNS records that are no longer needed.
#
# The parameters are the same as for deploy_challenge.
# Simple example: Use nsupdate with local named
# printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
/opt/le/letsencrypt/hook_regru_le.pl clean_challenge ${DOMAIN} ${TOKEN_VALUE}
}
deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
# This hook is called once for each certificate that has been
# produced. Here you might, for instance, copy your new certificates
# to service-specific locations and reload the service.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
# - TIMESTAMP
# Timestamp when the specified certificate was created.
# Simple example: Copy file to nginx config
# cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
# systemctl reload nginx
cp "${KEYFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" /opt/certs/"${DOMAIN}"/
ssh -i ~/.ssh/le_ecdsa root@nginx1.itworks "systemctl reload nginx"
ssh -i ~/.ssh/le_ecdsa root@nginx2.itworks "systemctl reload nginx"
}
unchanged_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
# This hook is called once for each certificate that is still
# valid and therefore wasn't reissued.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - KEYFILE
# The path of the file containing the private key.
# - CERTFILE
# The path of the file containing the signed certificate.
# - FULLCHAINFILE
# The path of the file containing the full certificate chain.
# - CHAINFILE
# The path of the file containing the intermediate certificate(s).
##cp "${KEYFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" /opt/certs/"${DOMAIN}"/
##ssh -i ~/.ssh/le_ecdsa root@nginx1.itworks "systemctl reload nginx"
##ssh -i ~/.ssh/le_ecdsa root@nginx2.itworks "systemctl reload nginx"
}
invalid_challenge() {
local DOMAIN="${1}" RESPONSE="${2}"
# This hook is called if the challenge response has failed, so domain
# owners can be aware and act accordingly.
#
# Parameters:
# - DOMAIN
# The primary domain name, i.e. the certificate common
# name (CN).
# - RESPONSE
# The response that the verification server returned
# Simple example: Send mail to root
# printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
}
request_failure() {
local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
# This hook is called when an HTTP request fails (e.g., when the ACME
# server is busy, returns an error, etc). It will be called upon any
# response code that does not start with '2'. Useful to alert admins
# about problems with requests.
#
# Parameters:
# - STATUSCODE
# The HTML status code that originated the error.
# - REASON
# The specified reason for the error.
# - REQTYPE
# The kind of request that was made (GET, POST...)
# Simple example: Send mail to root
# printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
}
generate_csr() {
local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
# This hook is called before any certificate signing operation takes place.
# It can be used to generate or fetch a certificate signing request with external
# tools.
# The output should be just the cerificate signing request formatted as PEM.
#
# Parameters:
# - DOMAIN
# The primary domain as specified in domains.txt. This does not need to
# match with the domains in the CSR, it's basically just the directory name.
# - CERTDIR
# Certificate output directory for this particular certificate. Can be used
# for storing additional files.
# - ALTNAMES
# All domain names for the current certificate as specified in domains.txt.
# Again, this doesn't need to match with the CSR, it's just there for convenience.
# Simple example: Look for pre-generated CSRs
# if [ -e "${CERTDIR}/pre-generated.csr" ]; then
# cat "${CERTDIR}/pre-generated.csr"
# fi
}
startup_hook() {
# This hook is called before the cron command to do some initial tasks
# (e.g. starting a webserver).
:
}
exit_hook() {
# This hook is called at the end of the cron command and can be used to
# do some final (cleanup or other) tasks.
:
}
HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
"$HANDLER" "$@"
fi
root@srv-adm:/opt/le/letsencrypt#
1.
/opt/le/letsencrypt/dehydrated --cron --hook /opt/le/letsencrypt/hook.sh
и всё регулярно обнволяется само и вмешательства не требует.
1.
0 1 * * * /opt/le/letsencrypt/dehydrated --cron --hook /opt/le/letsencrypt/hook.sh > /dev/null 2>&1
