Let’s encrypt - run-acme script

Hello!

In your repository package acme_2.8.5-4_all.ipk is published, but it is not working fully for Turris Omnia!
Why didn’t you make changes to script run-acme in accordance with steps published in Wiki record (Let's Encrypt with Lighttpd (Simple) [Turris wiki])?

Thanks for your very prompt Turris support :rofl:

I asked the question and I will answer it…

Was modified me two files:

based on acme_2.8.5-4_all.ipk

/usr/lib/acme/run-acme
#!/bin/sh
# Wrapper for acme.sh to work on openwrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>

CHECK_CRON=$1
ACME=/usr/lib/acme/acme.sh
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export NO_TIMESTAMP=1

UHTTPD_LISTEN_HTTP=
STATE_DIR='/etc/acme'
ACCOUNT_EMAIL=
DEBUG=0
NGINX_WEBSERVER=0
LIGHTTPD_WEBSERVER=0
UPDATE_NGINX=0
UPDATE_UHTTPD=0
UPDATE_LIGHTTPD=0

. /lib/functions.sh

check_cron()
{
    [ -f "/etc/crontabs/root" ] && grep -q '/etc/init.d/acme' /etc/crontabs/root && return
    echo "3 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root
    /etc/init.d/cron start
}

log()
{
    logger -t acme -s -p daemon.info -- "$@"
}

err()
{
    logger -t acme -s -p daemon.err -- "$@"
}

debug()
{
    [ "$DEBUG" -eq "1" ] && logger -t acme -s -p daemon.debug -- "$@"
}

get_listeners() {
    local proto rq sq listen remote state program
    netstat -nptl 2>/dev/null | while read proto rq sq listen remote state program; do
        case "$proto#$listen#$program" in
            tcp#*:80#[0-9]*/*) echo -n "${program%% *} " ;;
        esac
    done
}

run_acme()
{
    debug "Running acme.sh as '$ACME $@'"
    $ACME "$@"
}

pre_checks()
{
    main_domain="$1"

    log "Running pre checks for $main_domain."

    listeners="$(get_listeners)"

    debug "port80 listens: $listeners"

    for listener in $(get_listeners); do
        pid="${listener%/*}"
        cmd="${listener#*/}"

        case "$cmd" in
            uhttpd)
                debug "Found uhttpd listening on port 80; trying to disable."

                UHTTPD_LISTEN_HTTP=$(uci get uhttpd.main.listen_http)

                if [ -z "$UHTTPD_LISTEN_HTTP" ]; then
                    err "$main_domain: Unable to find uhttpd listen config."
                    err "Manually disable uhttpd or set webroot to continue."
                    return 1
                fi

                uci set uhttpd.main.listen_http=''
                uci commit uhttpd || return 1
                if ! /etc/init.d/uhttpd reload; then
                    uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
                    uci commit uhttpd
                    return 1
                fi
            ;;
            nginx*)
                debug "Found nginx listening on port 80; trying to disable."
                NGINX_WEBSERVER=1
                local tries=0
                while grep -sq "$cmd" "/proc/$pid/cmdline" && kill -0 "$pid"; do
                /etc/init.d/nginx stop
                    if [ $tries -gt 10 ]; then
                        debug "Can't stop nginx. Terminating script."
                        return 1
                    fi
                    debug "Waiting for nginx to stop..."
                    tries=$((tries + 1))
                    sleep 1
                done
            ;;
            lighttpd)
                debug "Found lighttpd listening on port 80; checking configugation."
                LIGHTTPD_WEBSERVER=1
                if ! [ -e /www/letsencrypt/.well-known/acme-challenge/ ]; then
                    debug "Creating acme-challenge directory in webroot."
                    mkdir -p /www/letsencrypt/.well-known/acme-challenge/
                fi
                if ! [ -e etc/lighttpd/conf.d/acme-challenge.conf ]; then
                    echo 'alias.url += ( "/.well-known/acme-challenge/" => "/www/letsencrypt/.well-known/acme-challenge/")' \
                    > /etc/lighttpd/conf.d/acme-challenge.conf
                    /etc/init.d/lighttpd restart
                fi
            ;;
            "")
                debug "Nothing listening on port 80."
            ;;
            *)
                err "$main_domain: Cannot run in standalone mode; another daemon is listening on port 80."
                err "Disable other daemon or set webroot to continue."
                return 1
            ;;
        esac
    done

    iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
    ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1
    debug "v4 input_rule: $(iptables -nvL input_rule)"
    debug "v6 input_rule: $(ip6tables -nvL input_rule)"
    return 0
}

post_checks()
{
    local main_domain
    local domain_dir
    main_domain="$1"
    domain_dir="$2"

    log "Running post checks (cleanup)."
    # The comment ensures we only touch our own rules. If no rules exist, that
    # is fine, so hide any errors
    iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null
    ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null

    if [ -e /etc/init.d/uhttpd ] && ( [ -n "$UHTTPD_LISTEN_HTTP" ] || [ "$UPDATE_UHTTPD" -eq 1 ] ); then
        if [ -n "$UHTTPD_LISTEN_HTTP" ]; then
            uci set uhttpd.main.listen_http="$UHTTPD_LISTEN_HTTP"
            UHTTPD_LISTEN_HTTP=
        fi
        uci commit uhttpd
        /etc/init.d/uhttpd restart
    fi

    if [ -e /etc/init.d/nginx ] && ( [ "$NGINX_WEBSERVER" -eq 1 ] || [ "$UPDATE_NGINX" -eq 1 ] ); then
        NGINX_WEBSERVER=0
        /etc/init.d/nginx restart
    fi

    if [ -e /etc/init.d/lighttpd ] && ( [ "$LIGHTTPD_WEBSERVER" -eq 1 ] || [ "$UPDATE_LIGHTTPD" -eq 1 ] ); then
        if [ "$UPDATE_LIGHTTPD" -eq 1 ] && [ "${domain_dir}/${main_domain}.cer" -nt /etc/lighttpd-self-signed.pem ]; then
            debug "Updating lighttpd-self-signed.pem"
            cat "${domain_dir}/${main_domain}.cer" "${domain_dir}/${main_domain}.key" > /etc/lighttpd-self-signed.pem
        fi
        LIGHTTPD_WEBSERVER=0
        /etc/init.d/lighttpd restart
    fi
}

err_out()
{
    post_checks
    exit 1
}

int_out()
{
    post_checks
    trap - INT
    kill -INT $$
}

is_staging()
{
    local main_domain
    local domain_dir
    main_domain="$1"
    domain_dir="$2"

    grep -q "acme-staging" "${domain_dir}/${main_domain}.conf"
    return $?
}

issue_cert()
{
    local section="$1"
    local acme_args=
    local enabled
    local use_staging
    local update_uhttpd
    local update_nginx
    local update_lighttpd
    local keylength
    local keylength_ecc=0
    local domains
    local main_domain
    local moved_staging=0
    local failed_dir
    local webroot
    local dns
    local ret
    local domain_dir

    config_get_bool enabled "$section" enabled 0
    config_get_bool use_staging "$section" use_staging
    config_get_bool update_uhttpd "$section" update_uhttpd
    config_get_bool update_nginx "$section" update_nginx
    config_get_bool update_lighttpd "$section" update_lighttpd
    config_get domains "$section" domains
    config_get keylength "$section" keylength
    config_get webroot "$section" webroot
    config_get dns "$section" dns

    UPDATE_NGINX=$update_nginx
    UPDATE_UHTTPD=$update_uhttpd
    UPDATE_LIGHTTPD=$update_lighttpd

    [ "$enabled" -eq "1" ] || return

    [ "$DEBUG" -eq "1" ] && acme_args="$acme_args --debug"

    set -- $domains
    main_domain=$1

    [ -n "$webroot" ] || [ -n "$dns" ] || pre_checks "$main_domain" || return 1

    if echo $keylength | grep -q "^ec-"; then
        domain_dir="$STATE_DIR/${main_domain}_ecc"
        keylength_ecc=1
    else
        domain_dir="$STATE_DIR/${main_domain}"
    fi

    log "Running ACME for $main_domain"

    handle_credentials() {
        local credential="$1"
        eval export $credential
    }
    config_list_foreach "$section" credentials handle_credentials

    if [ -e "$domain_dir" ]; then
        if [ "$use_staging" -eq "0" ] && is_staging "$main_domain" "$domain_dir"; then
            log "Found previous cert issued using staging server. Moving it out of the way."
            mv "$domain_dir" "${domain_dir}.staging"
            moved_staging=1
        else
            log "Found previous cert config. Issuing renew."
            [ "$keylength_ecc" -eq "1" ] && acme_args="$acme_args --ecc"
            run_acme --home "$STATE_DIR" --renew -d "$main_domain" $acme_args && ret=0 || ret=1
            post_checks "$main_domain" "$domain_dir"
            return $ret
        fi
    fi

    acme_args="$acme_args $(for d in $domains; do echo -n "-d $d "; done)"
    acme_args="$acme_args --keylength $keylength"
    [ -n "$ACCOUNT_EMAIL" ] && acme_args="$acme_args --accountemail $ACCOUNT_EMAIL"
    [ "$use_staging" -eq "1" ] && acme_args="$acme_args --staging"

    if [ -n "$dns" ]; then
        log "Using dns mode"
        acme_args="$acme_args --dns $dns"
    elif [ -z "$webroot" ]; then
        log "Using standalone mode"
        acme_args="$acme_args --standalone --listen-v6"
    else
        if [ ! -d "$webroot" ]; then
            err "$main_domain: Webroot dir '$webroot' does not exist!"
            post_checks
            return 1
        fi
        log "Using webroot dir: $webroot"
        acme_args="$acme_args --webroot $webroot"
    fi

    if ! run_acme --home "$STATE_DIR" --issue $acme_args; then
        failed_dir="${domain_dir}.failed-$(date +%s)"
        err "Issuing cert for $main_domain failed. Moving state to $failed_dir"
        [ -d "$domain_dir" ] && mv "$domain_dir" "$failed_dir"
        if [ "$moved_staging" -eq "1" ]; then
            err "Restoring staging certificate"
            mv "${domain_dir}.staging" "${domain_dir}"
        fi
        post_checks
        return 1
    fi

    if [ -e /etc/init.d/uhttpd ] && [ "$update_uhttpd" -eq "1" ]; then
        uci set uhttpd.main.key="${domain_dir}/${main_domain}.key"
        uci set uhttpd.main.cert="${domain_dir}/fullchain.cer"
        # commit and reload is in post_checks
    fi

    if [ -e /etc/init.d/nginx ] && [ "$update_nginx" -eq "1" ]; then
        sed -i "s#ssl_certificate\ .*#ssl_certificate ${domain_dir}/fullchain.cer;#g" /etc/nginx/nginx.conf
        sed -i "s#ssl_certificate_key\ .*#ssl_certificate_key ${domain_dir}/${main_domain}.key;#g" /etc/nginx/nginx.conf
        # commit and reload is in post_checks
    fi

    post_checks
}

load_vars()
{
    local section="$1"

    STATE_DIR=$(config_get "$section" state_dir)
    ACCOUNT_EMAIL=$(config_get "$section" account_email)
    DEBUG=$(config_get "$section" debug)
}

check_cron
[ -n "$CHECK_CRON" ] && exit 0
[ -e "/var/run/acme_boot" ] && rm -f "/var/run/acme_boot" && exit 0

config_load acme
config_foreach load_vars acme

if [ -z "$STATE_DIR" ] || [ -z "$ACCOUNT_EMAIL" ]; then
    err "state_dir and account_email must be set"
    exit 1
fi

[ -d "$STATE_DIR" ] || mkdir -p "$STATE_DIR"

trap err_out HUP TERM
trap int_out INT

config_foreach issue_cert cert

exit 0

based on luci-app-acme_2.8.5-4_all.ipk package

/usr/lib/lua/luci/model/cbi/acme.lua
--[[
LuCI - Lua Configuration Interface

Copyright 2016 Toke Høiland-Jørgensen <toke@toke.dk>

# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.

]]--

local fs = require "nixio.fs"

local nginx_presence = fs.access("/usr/sbin/nginx") or false
local uhttpd_presence = fs.access("/usr/sbin/uhttpd") or false
local lighttpd_presence = fs.access("/usr/sbin/lighttpd") or false

m = Map("acme", translate("ACME certificates"),
	translate("This configures ACME (Letsencrypt) automatic certificate installation. " ..
                  "Simply fill out this to have the router configured with Letsencrypt-issued " ..
                  "certificates for the web interface. " ..
                  "Note that the domain names in the certificate must already be configured to " ..
                  "point at the router's public IP address. " ..
                  "Once configured, issuing certificates can take a while. " ..
                  "Check the logs for progress and any errors."))

s = m:section(TypedSection, "acme", translate("ACME global config"))
s.anonymous = true

st = s:option(Value, "state_dir", translate("State directory"),
              translate("Where certs and other state files are kept."))
st.rmempty = false
st.datatype = "directory"

ae = s:option(Value, "account_email", translate("Account email"),
              translate("Email address to associate with account key."))
ae.rmempty = false
ae.datatype = "minlength(1)"

d = s:option(Flag, "debug", translate("Enable debug logging"))
d.rmempty = false

cs = m:section(TypedSection, "cert", translate("Certificate config"))
cs.anonymous = false
cs.addremove = true

e = cs:option(Flag, "enabled", translate("Enabled"))
e.rmempty = false

us = cs:option(Flag, "use_staging", translate("Use staging server"),
               translate("Get certificate from the Letsencrypt staging server " ..
                         "(use for testing; the certificate won't be valid)."))
us.rmempty = false

kl = cs:option(ListValue, "keylength", translate("Key size"),
               translate("Key size (and type) for the generated certificate."))
kl:value("2048", "RSA 2048 bits")
kl:value("3072", "RSA 3072 bits")
kl:value("4096", "RSA 4096 bits")
kl:value("ec-256", "ECC 256 bits")
kl:value("ec-384", "ECC 384 bits")
kl.default = "2048"
kl.rmempty = false

if uhttpd_presence then
u = cs:option(Flag, "update_uhttpd", translate("Use for uhttpd"),
              translate("Update the uhttpd config with this certificate once issued " ..
                        "(only select this for one certificate)." ..
                        "Is also available luci-app-uhttpd to configure uhttpd form the LuCI interface."))
u.rmempty = false
end

if nginx_presence then
u = cs:option(Flag, "update_nginx", translate("Use for nginx"),
              translate("Update the nginx config with this certificate once issued " ..
                        "(only select this for one certificate)." ..
                        "Nginx must support ssl, if not it won't start as it needs to be " ..
                        "compiled with ssl support to use cert options"))
u.rmempty = false
end

if lighttpd_presence then
u = cs:option(Flag, "update_lighttpd", translate("Use for lighttpd"),
              translate("Update the lighttpd config with this certificate once issued " ..
                        "(only select this for one certificate). " ..
                        "Lighttdp must support ssl, if not it won't start as it needs to be " ..
                        "compiled with ssl support to use cert options"))
u.rmempty = false
end

wr = cs:option(Value, "webroot", translate("Webroot directory"),
               translate("Webserver root directory. Set this to the webserver " ..
                         "document root to run Acme in webroot mode. The web " ..
                         "server must be accessible from the internet on port 80."))
wr.optional = true

dom = cs:option(DynamicList, "domains", translate("Domain names"),
                translate("Domain names to include in the certificate. " ..
                          "The first name will be the subject name, subsequent names will be alt names. " ..
                          "Note that all domain names must point at the router in the global DNS."))
dom.datatype = "list(string)"

dns = cs:option(Value, "dns", translate("DNS API"),
                translate("To use DNS mode to issue certificates, set this to the name of a DNS API supported by acme.sh. " ..
                          "See https://github.com/Neilpang/acme.sh/tree/master/dnsapi for the list of available APIs. " ..
                          "In DNS mode, the domain name does not have to resolve to the router IP. " ..
                          "DNS mode is also the only mode that supports wildcard certificates. " ..
                          "Using this mode requires the acme-dnsapi package to be installed."))
dns.optional = true

cred = cs:option(DynamicList, "credentials", translate("DNS API credentials"),
                 translate("The credentials for the DNS API mode selected above. " ..
                           "See https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api for the format of credentials required by each API. " ..
                           "Add multiple entries here in KEY=VAL shell variable format to supply multiple credential variables."))
cred.datatype = "list(string)"

return m

It adds native support to cert update of lighttpd web server that configure from LuCI.

3 Likes

For clarity, this is a community forum. Official technical support is elsewhere. Support - Turris Documentation

EDIT: though I’m unsure if the official support would even cover this particular question.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.