Some notes on how to create the certs and have them load automatically into Apache.
I'm not detailing how to install acme as that's straightforward and covered on the acme website.
I have the acme script installed on the web server as root as it makes copying the certs / keys to the appropriate directories easier.
I use the dns-01 challenge mechanism to issue certs as Cloudflare has an API that supports it.
This is a great way to do it as it means you don't need to copy content to the web servers to authenticate the cert issuing request.
Need the following in ~/.acme.sh/account.conf for it to work:
SAVED_CF_Key='<API key>'Issue the cert
SAVED_CF_Email='<email address>'
acme.sh --issue --dns dns_cf -d foobar.durrant.me.uk
Add the cert / key locations to Apache
Note that the cer file contains both the site cert and the intermediate cert. Apache understands if you point both parameters at the same file which saves having to maintain two separate files.
SSLCertificateFile /etc/pki/tls/certs/foobar.durrant.me.uk.cer
SSLCertificateKeyFile /etc/pki/tls/private/foobar.durrant.me.uk.key
SSLCertificateChainFile /etc/pki/tls/certs/foobar.durrant.me.uk.cer
Install the certs
acme.sh --install-cert -d foobar.durrant.me.uk --key-file /etc/pki/tls/private/foobar.durrant.me.uk.key --fullchain-file /etc/pki/tls/certs/foobar.durrant.me.uk.cer --reloadcmd "systemctl restart httpd.service"
Set the permissions on the key & cert
chmod 600 /etc/pki/tls/private/foobar.durrant.me.uk.key
chmod 600 /etc/pki/tls/certs/foobar.durrant.me.uk.cer
Certs will automatically be renewed and reinstalled every 2 months.
Well interesting!
ReplyDelete