See rather community documentation where I moved this procedure including changes needed for Turris 3.9+
Turris Documentation
Hi everyone.
For some time I was looking for some reliable way how to setup HTTPS certificate for Let’s Encrypt. Here is already available one thread for this but it is not perfect and not suitable for my needs. So I prepared myself set of scripts to cover the problematic. If you are intersted see below.
The condition I needed to cover:
- full automation
- currently nothing is listening on HTTPS port (I have different port for Foris / Luci)
If your setup is different you need to modify my solution accordingly.
I decided to use the acme.sh script which is quite simple and have no prerequisites.
https://github.com/Neilpang/acme.sh
Installation:
Very simple if you don’t want any customization and everything can remain under /root
wget -O - https://get.acme.sh | sh
Or check more options: https://github.com/Neilpang/acme.sh/wiki/How-to-install
New certificate:
Few notes
- I do not have anythign listening and allowed on HTTPS port 443
- acme.sh has its own “server” for port 443 during domain verification
→ firewall must be updated to pass packets to port 443 temporarily
→ lighttps must be restarted for new certificates (and to not block acme.sh if you are using default HTTPS)
All things are going to happen in /root/.acme.sh
(default setup)
Create file add443.gw
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '<TURRIS_IP>'
option dest_port '443'
option name 'Turris Lets encrypt'
Create file get_acme.sh
#!/bin/bash
VER=1.0.0
# Backup firewall config
# Update firewall rules to allow access via port 443 from internet
cp /etc/config/firewall /etc/config/firewall~
cat add443.gw >> /etc/config/firewall
/etc/init.d/firewall reload
> # Stop lighttpd as acme.sh is starting its own daemon
> /etc/init.d/lighttpd stop
> # Trigger request to Let's Encrypt (and ensure to have the directory)
> mkdir -p /etc/lighttpd/certs
> ./acme.sh --issue --tls -d <DOMAIN> --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
> # Prepare the certificates for lighttpd
> ./acme.sh --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key --fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
> # Start lighttpd again
> /etc/init.d/lighttpd start
> # Restore firewall to original state
> mv /etc/config/firewall~ /etc/config/firewall
> /etc/init.d/firewall reload
We are ready to trigger the certificate request:
chmod o+x get_acme.sh /root/.acme.sh/get_acme.sh
Now the certificates are acquired and prepared for lighttpd. Update the configuration file as follows:
/etc/lighttpd/conf.d/ssl-enable.conf
# This settings enables https with Let's Ecnrypt certificate
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/hostkey.pem"
ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}
$SERVER["socket"] == "[::]:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/hostkey.pem"
ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}
Then restart the lighttpd once more. This is not automated by purpose.
Certificate renewal:
Situation is very similar to new certificate. So the add443.gw will be reused.
Create file renew_acme.sh
#!/bin/bash
VER=1.0.0
# Backup firewall config
# Update firewall rules to allow access via port 443 from internet
cp /etc/config/firewall /etc/config/firewall~
cat add443.gw >> /etc/config/firewall
/etc/init.d/firewall reload
# Stop lighttpd as acme.sh is starting its own daemon
/etc/init.d/lighttpd stop
# Trigger renewal request to Let's Encrypt
./acme.sh --cron --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
# Prepare the certificates for lighttpd
./acme.sh --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key -- fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
# Start lighttpd again
/etc/init.d/lighttpd start
# Restore firewall to original state
mv /etc/config/firewall~ /etc/config/firewall
/etc/init.d/firewall reload
Now just make it executable:
chmod o+x renew_acme.sh
As last step add this into cron with your own frequency. Let’s Ecnrypt suggests daily but once a week should be enough.
/root/.acme.sh/renew_acme.sh