wiki.TerraBase.info

LetsEncrypt with ACME on OpenWRT: Difference between revisions

← Older editNewer edit →
VisualWikitext
mNo edit summary
Line 2: Line 2:
ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT.  It will request and store SSL / HTTPS Certificates for various purposes.  It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT.
ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT.  It will request and store SSL / HTTPS Certificates for various purposes.  It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT.


===Installation (of basic files)===
=== Choices ===
As with everything in the world, there are choices.  This article describes two different ways to install the acme.sh script.  One, the "Easy Way".  Two, the longer OpenWRT way.
 
=== The Easy Way of Installing ''acme.sh'' ===
 
* Download the latest version of the script from here: https://github.com/acmesh-official/acme.sh<nowiki/>(3.0.1 as of the writing of this article)
* Just to stay within the world of OpenWRT go ahead and install acme.sh the usual way: opkg update, opkg install acme acme-dnsapi luci-app-acme (2.8.5 is the latest OpenWRT version)
* Replace the /usr/lib/acme/acme.sh file with the one downloaded (3.0.1 or a more recent one)
* Create these directories: /etc/acme/certs and /etc/acme/config (they can be anywhere, but following the OpenWRT paradigm, this is where they'd naturally seem to go)
* Run the following command from within the /usr/lib/acme directory;
<syntaxhighlight lang="text">
.acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
</syntaxhighlight>
 
* Add the following to the /etc/profile file;
<syntaxhighlight lang="text">
export LE_WORKING_DIR="/usr/lib/acme"
export LE_CONFIG_HOME="/etc/acme/config"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
</syntaxhighlight>...all done.  Using the ''acme.sh'' 'command' (actually a script) will now work like any other command within OpenWRT.
 
===Installation (of basic files) the OpenWRT way===
opkg update
opkg update


Line 9: Line 30:
Notes: The LuCI GUI is next to useless.  It is an incomplete effort that isn't helpful.  But thanks for trying.  The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script.  As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.
Notes: The LuCI GUI is next to useless.  It is an incomplete effort that isn't helpful.  But thanks for trying.  The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script.  As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.


===Configuration (and more "installation")===
===Configuration (and more "installation") the OpenWRT way===
Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below).
Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below).


Line 20: Line 41:
*cp /usr/lib/acme.OPKG/run-acme /usr/lib/acme/ - Copy the OpenWRT proprietary run-acme file to it's original directory and path so the LuCI GUI can access it.
*cp /usr/lib/acme.OPKG/run-acme /usr/lib/acme/ - Copy the OpenWRT proprietary run-acme file to it's original directory and path so the LuCI GUI can access it.


Keep in mind when updating the Acme package(s) via OPKG, the acme.sh, run-acme, and dnsapi directory will be over written.  But that's fine as the acme.sh.env file should be left in place.
Keep in mind when updating the Acme package(s) via OPKG, the acme.sh, run-acme, and dnsapi directory will be over written.  But that's fine as the acme.sh.env file should be left in place. Run the below script from the above Moved / Named directory;


<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
./usr/lib/acme.OPKG/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
.acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
</syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;
</syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;


Line 30: Line 51:
*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
*--accountkey: Path to store account information
*--accountkey: Path to store account information.  This defaults to the same value as --config-home.
*--useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
*--useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
*--log: The path to the log file.  Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.
*--log: The path to the log file.  Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.
Line 45: Line 66:
export LE_CONFIG_HOME="/etc/acme/config"
export LE_CONFIG_HOME="/etc/acme/config"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
</syntaxhighlight><br />
</syntaxhighlight>The above information will need to be added as environment variables.  In OpenWRT the file used for all profiles is /etc/profiles.  By default, there's one Administrator User for OpenWRT and that's ''root''.  One could also modify the environment variables for just the root user in the root user's proflile.  Either way, add the above lines to the file (in whatever scenario is chosen).  Then log out and log back in.  The acme.sh script should be available system wide for commands.<br />
===Functionality===
===Functionality===
Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.
Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.
Retrieved from "https://wiki.terrabase.info/wiki/LetsEncrypt_with_ACME_on_OpenWRT"