I will add my steps of letsencrypt wildcard SSL certification and it's automation via cronjobs processes for further documentation.
I want wildcard dns for my domain and it required DNS-based challange. For handling challange events we will be using a hook script named dns-hook.sh
The router should have opkg already installed.
KeeneticOS by have libopenssl - 3.1 by default. You need to upprade to 3.5 or a newer version.
You need to update by running
opkg update
opkg update libopenssl
opkg install uacme
uacme -v -c /opt/etc/ssl/uacme new
mkdir -p /opt/share/www/.well-known/acme-challenge
mkdir -p /opt/etc/ssl/uacme
mkdir -p /opt/etc/ssl/private
~ # cat /opt/etc/ssl/uacme/dns-hook.sh
#!/bin/sh
# DNS-01 challenge hook for uacme
# Usage: dns-hook.sh begin|done|failed dns-01 domain token key_auth
METHOD=$1
TYPE=$2
DOMAIN=$3
TOKEN=$4
KEY_AUTH=$5
TXT_NAME="_acme-challenge.${DOMAIN}"
TXT_VALUE="${KEY_AUTH}"
case "$METHOD" in
"begin")
echo "Please create the following DNS TXT record:"
echo "Name: ${TXT_NAME}"
echo "Value: ${TXT_VALUE}"
echo ""
echo "Press Enter when DNS record is created and propagated..."
read dummy
;;
"done")
echo "Challenge completed for ${DOMAIN}"
echo "You can now remove the TXT record: ${TXT_NAME}"
;;
"failed")
echo "Challenge failed for ${DOMAIN}"
;;
esac
uacme -v -c /opt/etc/ssl/uacme -h /opt/etc/ssl/uacme/dns-hook.sh issue '*.fizyonops.com
#for my haproxy instance
mkdir -p /opt/etc/haproxy/certs/
cat /opt/etc/ssl/uacme/fizyonops.com/cert.pem \
/opt/etc/ssl/uacme/private/fizyonops.com/key.pem \
> /opt/etc/haproxy/certs/fizyonops.com.pem
# Set permissions
chmod 600 /opt/etc/haproxy/certs/fizyonops.com.pem
opkg install cron
# Start cron service
/opt/etc/init.d/S10cron start
cat > /opt/bin/renew-certs.sh << 'EOF'
#!/bin/sh
DOMAIN="fizyonops.com"
UACME_DIR="/opt/etc/ssl/uacme"
HAPROXY_DIR="/opt/etc/haproxy/certs"
uacme -c $UACME_DIR issue $DOMAIN
cat $UACME_DIR/$DOMAIN/cert.pem \
$UACME_DIR/private/$DOMAIN/key.pem \
> $HAPROXY_DIR/$DOMAIN.pem
# Restart HAProxy
/opt/etc/init.d/S99haproxy restart
EOF
chmod +x /opt/bin/renew-certs.sh
# manually add the cronjob via crontab -e
0 3 * * 1 /opt/bin/renew-certs.sh
0 yorum:
Yorum Gönder