= Letsencrypt/dehydrated = <> <> https://github.com/lukas2511/dehydrated == 基本は証明書の入手まで == [[/www.qmail.jpの証明書]]を入手してみる。 入手後の証明書を配備する方法の説明は見当たらない。-- ToshinoriMaeno <> acme.shを参照するのがよさそう。 --- letsencrypt/acme client implemented as a shell-script – just add water https://dehydrated.io Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ... Default command: help Commands: {{{ --version (-v) Print version information --register Register account key --account Update account contact information --cron (-c) Sign/renew non-existent/changed/expiring certificates. --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage) --revoke (-r) path/to/cert.pem Revoke specified certificate --cleanup (-gc) Move unused certificate files to archive directory --help (-h) Show help text --env (-e) Output configuration variables for use in other scripts }}} == 解説 == https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/ この解説に従うのは面倒です。-- ToshinoriMaeno <>  http-01 verification : 「普通のwebサーバー(nginxなど)」を動かしているなら楽かも。 {{{ If you only have one docroot on your server, you could easily do something like WELLKNOWN=/var/www/.well-known/acme-challenge for anything else look at the example below. }}} Nginx example config 原作者の説明はそっけないし。 {{{ Lighttpd example config With Lighttpd just add this to your config, and it should work in any VHost: modules += "alias" alias.url += ( "/.well-known/acme-challenge/" => "/var/www/dehydrated/" ) }}} == DNS challenge == DNSに慣れているなら、こっち[[/DNS-01]]が簡単だろう。 {{{ dns-01 challenge This script also supports the new dns-01-type verification. This type of verification requires you to be able to create a specific TXT DNS record for each hostname included in the certificate. You need a hook script that deploys the challenge to your DNS server! The hook script (indicated in the config file or the –hook/-k command line argument) gets four arguments: an operation name (clean_challenge, deploy_challenge, or deploy_cert) and some operands for that. For deploy_challenge $2 is the domain name for which the certificate is required, $3 is a “challenge token” (which is not needed for dns-01), and $4 is a token which needs to be inserted in a TXT record for the domain. }}} == wildcard == https://erdgeist.org/posts/2018/wild-wild-certs.html == Just add water == https://erdgeist.org/posts/2017/just-add-water.html ---- Finally, you need to add the actual code to your hooks. I just modified the file hook.sh in /usr/local/etc/dehydrated/ to read in the deploy_challenge() { function {{{ printf "\'_acme-challenge.%s:%s:120\n" ${DOMAIN} ${TOKEN_VALUE} >> /etc/tinydns/root/data cd /etc/tinydns/root/ tinydns-data > /etc/tinydns/root/data.cdb }}} and for later cleanup in the clean_challenge() { function I added {{{ sed -E -i '' '/_acme-challenge/d' /etc/tinydns/root/data cd /etc/tinydns/root/ tinydns-data > /etc/tinydns/root/data.cdb }}} == config == 以下の順に探す。 {{{ /etc/dehydrated/config /usr/local/etc/dehydrated/config The current working directory of your shell The directory from which dehydrated was run }}}