_ _
___ | |__ __ _ _______ | |_
/ _ \| '_ \ / _` |_ / _ \| __|
| (_) | | | | (_| |/ / (_) | |_
\___/|_| |_|\__,_/___\___/ \__|
ssl —
configuration
- If /etc/acme-client.conf does not exist:
cp /etc/examples/acme-client.conf
/etc/
- Edit /etc/acme-client.conf
- Comment the buypass sections.
- Change example.com to the corresponding domain.
- Create the following directories if they are not present:
mkdir -p -m 700 /etc/acme
mkdir -p -m 700 /var/www/acme
mkdir -p -m 700 /etc/ssl/acme/private
- Add the following to httpd.conf:
location /.well-known/acme-challenge/* {
root "/acme"
request strip 2
}
- Verify httpd config and restart httpd:
httpd -n && rcctl restart
httpd
- Run acme to create the certificate and key:
acme-client -v
[SERVER].com
- Backup important files:
- /etc/acme/letsencrypt-privkey.pem
- /etc/ssl/private/[SERVER].com.key
- /etc/ssl/[SERVER].com.fullchain.pem
- Schedule renewal on cron as shown in man acme-client:
~ * * * * acme-client
[SERVER].com && rcctl reload httpd
- Update httpd.conf:
listen on egress tls port 443
tls {
certificate "/etc/ssl/[SERVER].com.fullchain.pem"
key "/etc/ssl/private/[SERVER].com.key"
}
- Verify httpd config and restart httpd:
httpd -n && rcctl restart
httpd
server [SERVER].com {
alias "www.[SERVER].com"
listen on egress port 80
listen on egress tls port 443
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
root "/htdocs/[SERVER]"
errdocs "/htdocs/[SERVER]/errors/"
tls {
certificate "/etc/ssl/[SERVER].com.fullchain.pem"
key "/etc/ssl/private/[SERVER].com.key"
}
}