Skip to content

Latest commit

 

History

History
88 lines (68 loc) · 3.36 KB

README.md

File metadata and controls

88 lines (68 loc) · 3.36 KB

acme-user

These are scripts and configuration files to run acme-tiny unpriviledged as much as possible under systemd systems.

Initial set-up

This is based upon upstream README, refer to it for details.

After generating or converting your account private key, store it as

/etc/acme/accountkey.pem

and set permission/ownership to 440 acme:acme.

The ${domain} private key should be stored as

/etc/acme/${domain}/privkey.pem

and have permission/ownership to 400 root:root, but actually acme-tiny does not use it once the CSR is generated, so these are just general recommandations.

However the CSR must be stored as

/etc/acme/${domain}/csr.pem

and be 440 acme:acme.

Note that if you want to enable OCSP Must Staple for you certificates, you can pass -addext "tlsfeature = status_request" to the openssl req command, in which case you might want to setup OCSP priming.

One important modification here: the files are expected to reside under /var/lib/acme/. The folder is created by the systemd-tmpfiles config, but you need to setup your HTTP server correctly for this path.

Here we deviate sensibly from upstream because we also setup OCSP priming for OCSP stapling (see your web server document for how to configure that).

  1. Get the certificate:
sudo -u acme sh -c "/usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr /etc/acme/${domain}/csr.pem --acme-dir /var/lib/acme/ > /etc/acme/${domain}/fullchain.pem"
  1. Fix permissions:
sudo chown root:root /etc/acme/${domain}/fullchain.pem
sudo chmod 444 /etc/acme/${domain}/fullchain.pem
  1. Split the cert for our needs:
FULLCHAIN=$(sudo cat /etc/acme/${domain}/fullchain.pem)
echo "${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----" | sudo tee /etc/acme/${domain}/cert.pem
echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d' | sudo tee /etc/acme/${domain}/chain.pem
  1. OCSP priming:
sudo openssl ocsp -noverify -no_nonce -respout /etc/acme/${domain}/ocsp.der -issuer /etc/acme/${domain}/chain.pem -cert /etc/acme/${domain}/cert.pem -url $(sudo openssl x509 -noout -ocsp_uri -in /etc/acme/${domain}/cert.pem)

Renewal setup

Just enable the acme.timer systemd timer.

Services reloading

Most server services need to be reloaded or restarted in order to take into account a renewed certificate. You can have the systemd service automatically do so by adding a drop-in override:

[Service]
ExecStartPost=/usr/bin/systemctl try-reload-or-restart <space separated list of services>

For instance, an usual <space separated list of services> on a mail server might be nginx smtpd dovecot.

OCSP priming

Nothing to do: the files are regenerated on each service run, so twice per day, while they are actually valid for 7 days and renewed upstream every 3 days.