LetsEncrypt with ACME on OpenWRT: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 2: | Line 2: | ||
ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT. It will request and store SSL / HTTPS Certificates for various purposes. It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT. | ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT. It will request and store SSL / HTTPS Certificates for various purposes. It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT. | ||
=== Choices === | ===Choices=== | ||
As with everything in the world, there are choices. This article describes two different ways to install the acme.sh script. One, the "Easy Way". Two, the longer OpenWRT way. | As with everything in the world, there are choices. This article describes two different ways to install the acme.sh script. One, the "Easy Way". Two, the longer OpenWRT way. | ||
=== The Easy Way of Installing ''acme.sh'' === | ===The Easy Way of Installing ''acme.sh''=== | ||
* Download the latest version of the script from here: https://github.com/acmesh-official/acme.sh<nowiki/>(3.0.1 as of the writing of this article) | *Download the latest version of the script from here: https://github.com/acmesh-official/acme.sh<nowiki/>(3.0.1 as of the writing of this article) | ||
* Just to stay within the world of OpenWRT go ahead and install acme.sh the usual way: opkg update, opkg install acme acme-dnsapi luci-app-acme (2.8.5 is the latest OpenWRT version) | *Just to stay within the world of OpenWRT go ahead and install acme.sh the usual way: opkg update, opkg install acme acme-dnsapi luci-app-acme (2.8.5 is the latest OpenWRT version) | ||
* Replace the /usr/lib/acme/acme.sh file with the one downloaded (3.0.1 or a more recent one) | *Replace the /usr/lib/acme/acme.sh file with the one downloaded (3.0.1 or a more recent one) | ||
* Create these directories: /etc/acme/certs and /etc/acme/config (they can be anywhere, but following the OpenWRT paradigm, this is where they'd naturally seem to go) | *Create these directories: /etc/acme/certs and /etc/acme/config (they can be anywhere, but following the OpenWRT paradigm, this is where they'd naturally seem to go) | ||
* Run the following command from within the /usr/lib/acme directory; | *Run the following command from within the /usr/lib/acme directory; | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
.acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log | .acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* Add the following to the /etc/profile file; | *Add the following to the /etc/profile file; | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
export LE_WORKING_DIR="/usr/lib/acme" | export LE_WORKING_DIR="/usr/lib/acme" | ||
export LE_CONFIG_HOME="/etc/acme/config" | export LE_CONFIG_HOME="/etc/acme/config" | ||
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'" | alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'" | ||
</syntaxhighlight>...all done. Using the ''acme.sh'' 'command' (actually a script) will now work like any other command within OpenWRT. | </syntaxhighlight> | ||
...all done. Using the ''acme.sh'' 'command' (actually a script) will now work like any other command within OpenWRT. | |||
===Installation (of basic files) the OpenWRT way=== | ===Installation (of basic files) the OpenWRT way=== | ||
| Line 110: | Line 113: | ||
===Using DNS (BIND / Named) to Obtain a Certificate (with a Certbot comparison thrown in)=== | ===Using DNS (BIND / Named) to Obtain a Certificate (with a Certbot comparison thrown in)=== | ||
All of the below assume you are running your own fully functional BIND / Named server. | |||
====BIND / Named Stuff to do==== | ====BIND / Named Stuff to do==== | ||
First generate a "user name / password" (AKA ''[https://linux.die.net/man/8/dnssec-keygen nametype]''and ''[https://linux.die.net/man/8/dnssec-keygen key]'') | First generate a "user name / password" (AKA ''[https://linux.die.net/man/8/dnssec-keygen nametype]''and ''[https://linux.die.net/man/8/dnssec-keygen key]'') | ||
*Acme.sh: dnssec-keygen -a hmac-sha512 -b 512 -n USER | *Acme.sh: dnssec-keygen -a hmac-sha512 -b 512 -n USER WhatEverFileOrKeyName (Thankfully, OpenWRT's dnssec-keygen cannot create SHA512 keys, so you'll need access to another Linux System like CentOS to generate the key file) | ||
* | **Example: dnssec-keygen -a hmac-sha512 -b 512 -n USER ACME | ||
*Look for a .key and .private file in the directory the dnssec-keygen command was run in. | |||
*Copy the files to the bind / named directory, for OpenWRT it is /etc/bind OR be in that directory when the dnssec-keygen command is run | |||
*From the WhatEverName.private file, copy the information after the Key: line, IE Key: aBunchOfNumbersAndLetters (without copying Key:) | |||
*Add this information to the /etc/bind/named.conf file (default file location for many flavors of Linux) | |||
<syntaxhighlight lang="text"> | |||
key "acme" { | |||
algorithm hmac-sha512; | |||
secret "WhatEverTheStringOfTextIsInThePrivateFile"; | |||
}; | |||
</syntaxhighlight> | |||
*Add this information to the specific zone that will be updated (If the below allow-update directive is in place and has an existing key, just add the additional key line); | |||
<syntaxhighlight lang="text"> | |||
zone "WhatEverZoneName.comORorgORnet" { | |||
type master; | |||
allow-update { | |||
key acme; | |||
}; | |||
file "/etc/bind/masters/WhatEverZoneName.comORorgORnet"; | |||
}; | |||
</syntaxhighlight> | |||
====Acme.sh Stuff to do==== | ====Acme.sh Stuff to do==== | ||