acme_tiny is a nice, small utility for creating and renewing your doman SSL/TLS certificates.
It’s less than 200 lines of bash and just works. Here’s how to set it up and have your certificate automatically renewed once a month.
First, let’s get things installed; nginx and the acme-tiny client and setup the necessary directories.
pkgin in nginx py36-acme-tiny mkdir -p /opt/local/etc/acme /opt/local/www/acme
Add the following stanza towards the top of your nginx config and reload nginx.
vi /opt/local/etc/nginx/nginx.conf
location ^~ /.well-known/acme-challenge/ {
alias /opt/local/www/acme/;
try_files $uri =404;
}
nginx -s reload
Now, let’s setup the necessary keys so we can request a new certificate for our site.
cd /opt/local/etc/acme openssl genrsa 4096 > account.key openssl genrsa 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/CN=shaner.life" > domain.csr
Now we can create the initial request for our domain.
acme_tiny --account-key /opt/local/etc/acme/account.key \
--csr /opt/local/etc/acme/domain.csr \
--acme-dir /opt/local/www/acme \
> /opt/local/etc/acme/signed.crt
curl -s 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem' > /opt/local/etc/acme/intermediate.pem
cat /opt/local/etc/acme/signed.crt /opt/local/etc/acme/intermediate.pem > /opt/local/etc/acme/fullchain.pem
If you get an error complaining about the expired terms of service pdf don’t fret, we just need to update the acme script with the name of the updated version.
vi /opt/local/bin/acme_tiny # search for 'pdf' and replace the url with the one from the error you recieved during your (failed) certificate request.
If you got an error complaining about not being able to access the acme-challenge token, double check your nginx config and be sure to restart nginx.
One last step before we can setup nginx with our new certs. We need to create a diffie-helman key. This will take a while, go grab some coffee and when you get back it should be done.
openssl dhparam 4096 > /opt/local/etc/nginx/dhparam.pem
Now that we have our dh key, certificate and private key. Let’s setup nginx to use them. Here are the relevant SSL bits that can be added to your server stanza in _opt/local/etc/nginx.conf_ .
server_tokens off; ssl_certificate /opt/local/etc/acme/fullchain.pem; ssl_certificate_key /opt/local/etc/acme/domain.key; ssl_dhparam dhparam.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
Let’s automate this thing. Here, we’re creating a script to be called by a cron job for automatic renewal of our certificate. We do this on a somewhat frequent schedule as lets-encrypt only issues certificates that are valid for 3 months.
cat > /opt/local/etc/acme/renew.sh <<EOF #!/bin/bash acme_tiny --account-key /opt/local/etc/acme/account.key --csr /opt/local/etc/acme/domain.csr --acme-dir /opt/local/www/acme > /opt/local/etc/acme/signed.crt curl -s 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem' > /opt/local/etc/acme/intermediate.pem cat /opt/local/etc/acme/signed.crt /opt/local/etc/acme/intermediate.pem > /opt/local/etc/acme/fullchain.pem cp fullchain.pem /opt/local/etc/nginx/ssl/fullchain.pem nginx -s reload EOF
Okay, with our script in place, let’s create the cron job to run once a month (on the first).
crontab -e 0 0 1 * * /opt/local/etc/acme/renew.sh >/dev/null 2>&1
All set! Good Job 🙂
Leave a Reply
You must be logged in to post a comment.