LetsEncrypt with ACME on OpenWRT: Difference between revisions

Line 9:

Notes: The LuCI GUI is next to useless. It is an incomplete effort that isn't helpful. But thanks for trying. The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script. As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.

=== Configuration (and more "installation") ===

===Configuration (and more "installation")===

Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it. The first part of the instructions on their site are completed by the OpenWRT OPKG utility. From there, only the ./acme.sh --install needs to be run (see below);<syntaxhighlight lang="text">

Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it. The first part of the instructions on their site are completed by the OpenWRT OPKG utility. From there, only the ./acme.sh --install needs to be run (see below).

./usr/lib/acme/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey --~~user-agent~~ ""

The below paths were chosen simply to fit into the OpenWRT path paradigm. The /etc/config/acme file is not modified by any of the above settings. The /etc/config/acme file is for the Acme LuCI GUI.

./usr/lib/acme/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log

</syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;

* --home: The directory where the acme.sh script will be installed. Yes, the OpenWRT OPKG utility already installed the script here: /usr/lib/acme/acme.sh

*--home: The directory where the acme.sh script will be installed. Yes, the OpenWRT OPKG utility already installed the script here: /usr/lib/acme/acme.sh

* --config-home: The default directory where acme.sh writes / stores configuration information for each certificate that is obtained. This can be included with each certificate request configuration, meaning that each certificate request configuration can be stored in it's own directory. This setting in the LuCI GUI is defined as State directory.

*--config-home: The default directory where acme.sh writes / stores configuration information for each certificate that is obtained. This can be included with each certificate request configuration, meaning that each certificate request configuration can be stored in it's own directory. This setting in the LuCI GUI is defined as State directory.

* --cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored. As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory. This setting in the LuCI GUI is defined as State directory.

*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored. As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory. This setting in the LuCI GUI is defined as State directory.

* --accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings. Yup, Acme.sh, Certbot, etc. all set up accounts. Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.

*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings. Yup, Acme.sh, Certbot, etc. all set up accounts. Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.

* --accountkey

*--accountkey: Path to store account information

* --useragent: Acme.sh gives a useless circular definition for this parameter. Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).

*--useragent: Acme.sh gives a useless circular definition for this parameter. Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).

*--log: The path to the log file. Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.

<br />

===Functionality===

Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.

Line 242:

Line 248:

</syntaxhighlight>/usr/lib/acme/run-acme: According to the notes in the file, it's a "wrapper" for the acme.sh script.

=== Certbot Help File (for comparison) ===

===Certbot Help File (for comparison)===

usage:

@@ Line 9: / Line 9: @@
 Notes: The LuCI GUI is next to useless.  It is an incomplete effort that isn't helpful.  But thanks for trying.  The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script.  As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.
-=== Configuration (and more "installation") ===
+===Configuration (and more "installation")===
-Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below);<syntaxhighlight lang="text">
+Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below).
-./usr/lib/acme/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey --user-agent ""
+The below paths were chosen simply to fit into the OpenWRT path paradigm.  The /etc/config/acme file is not modified by any of the above settings.  The /etc/config/acme file is for the Acme LuCI GUI.
+<syntaxhighlight lang="text">
+./usr/lib/acme/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
 </syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;
-* --home: The directory where the acme.sh script will be installed.  Yes, the OpenWRT OPKG utility already installed the script here: /usr/lib/acme/acme.sh
+*--home: The directory where the acme.sh script will be installed.  Yes, the OpenWRT OPKG utility already installed the script here: /usr/lib/acme/acme.sh
-* --config-home: The default directory where acme.sh writes / stores configuration information for each certificate that is obtained.  This can be included with each certificate request configuration, meaning that each certificate request configuration can be stored in it's own directory.  This setting in the LuCI GUI is defined as State directory.
+*--config-home: The default directory where acme.sh writes / stores configuration information for each certificate that is obtained.  This can be included with each certificate request configuration, meaning that each certificate request configuration can be stored in it's own directory.  This setting in the LuCI GUI is defined as State directory.
-* --cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
+*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
-* --accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
+*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
-* --accountkey
+*--accountkey: Path to store account information
-* --useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
+*--useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
+*--log: The path to the log file.  Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.
+<br />
 ===Functionality===
 Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.
@@ Line 242: / Line 248: @@
 </syntaxhighlight>/usr/lib/acme/run-acme: According to the notes in the file, it's a "wrapper" for the acme.sh script.
-=== Certbot Help File (for comparison) ===
+===Certbot Help File (for comparison)===
 <syntaxhighlight lang="text">
 usage: