29 Haziran 2025 Pazar

Letsencrypt uacme on Keenetic routers

on   with Hiç yorum yok

I will add my steps of letsencrypt wildcard SSL certification and it's automation via cronjobs processes for further documentation. 

I want wildcard dns for my domain and it required DNS-based challange. For handling challange events we will be using a hook script named dns-hook.sh

The router should have opkg already installed. 

KeeneticOS by have  libopenssl - 3.1 by default. You need to upprade to 3.5 or a newer version. 
You need to update by running 

 opkg update
opkg update libopenssl


opkg install uacme

uacme -v -c /opt/etc/ssl/uacme new

mkdir -p /opt/share/www/.well-known/acme-challenge

mkdir -p /opt/etc/ssl/uacme
mkdir -p /opt/etc/ssl/private



~ # cat /opt/etc/ssl/uacme/dns-hook.sh
#!/bin/sh
# DNS-01 challenge hook for uacme
# Usage: dns-hook.sh begin|done|failed dns-01 domain token key_auth
METHOD=$1
TYPE=$2
DOMAIN=$3
TOKEN=$4
KEY_AUTH=$5


TXT_NAME="_acme-challenge.${DOMAIN}"
TXT_VALUE="${KEY_AUTH}"
case "$METHOD" in
"begin")
echo "Please create the following DNS TXT record:"
echo "Name: ${TXT_NAME}"
echo "Value: ${TXT_VALUE}"
echo ""
echo "Press Enter when DNS record is created and propagated..."
read dummy
;;

"done")
echo "Challenge completed for ${DOMAIN}"
echo "You can now remove the TXT record: ${TXT_NAME}"
;;

"failed")

echo "Challenge failed for ${DOMAIN}"
;;

esac
uacme -v -c /opt/etc/ssl/uacme -h /opt/etc/ssl/uacme/dns-hook.sh issue '*.fizyonops.com



#for my haproxy instance

mkdir -p /opt/etc/haproxy/certs/



cat /opt/etc/ssl/uacme/fizyonops.com/cert.pem \
/opt/etc/ssl/uacme/private/fizyonops.com/key.pem \
> /opt/etc/haproxy/certs/fizyonops.com.pem

# Set permissions
chmod 600 /opt/etc/haproxy/certs/fizyonops.com.pem




opkg install cron

# Start cron service
/opt/etc/init.d/S10cron start cat > /opt/bin/renew-certs.sh << 'EOF' #!/bin/sh DOMAIN="fizyonops.com" UACME_DIR="/opt/etc/ssl/uacme" HAPROXY_DIR="/opt/etc/haproxy/certs" uacme -c $UACME_DIR issue $DOMAIN cat $UACME_DIR/$DOMAIN/cert.pem \ $UACME_DIR/private/$DOMAIN/key.pem \ > $HAPROXY_DIR/$DOMAIN.pem # Restart HAProxy /opt/etc/init.d/S99haproxy restart EOF chmod +x /opt/bin/renew-certs.sh # manually add the cronjob via crontab -e 0 3 * * 1 /opt/bin/renew-certs.sh





Share:

0 yorum:

Yorum Gönder