diff --git a/acme/send-cert.sh b/acme/send-cert.sh new file mode 100755 index 0000000..a0eb9c6 --- /dev/null +++ b/acme/send-cert.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# Add to authorized_keys +# command="/opt/acme/send-cert.sh gitea.mh3000.net 192.168.61.15" s + + +if [ "$(echo $SSH_CLIENT | cut -d ' ' -f 1)" != "$2" ]; then + echo Invalid IP +fi + +echo "" +sudo bash -c "cd /var/lib/acme/$1 || exit 1; tar czf - *.cer *.key | base64" 2> /dev/null +echo "" + + diff --git a/acme/snippets/README.md b/acme/snippets/README.md new file mode 100644 index 0000000..c230c57 --- /dev/null +++ b/acme/snippets/README.md @@ -0,0 +1,25 @@ +### acme.include + +Include which redirects requests which are actually for the _ACME/Let's encrypt_ . +This way you can have apache running on port 80, but still process request from the _Let's encrypt_ service +which also come to port 80. + +Example apache definition for a typical HTTP/80-virtual server would look like this now: +``` + + Include /etc/apache2/vhosts.d/acme.include + RedirectMatch permanent ^(.*)$ https://cdn.mh3000.net/ + TransferLog "/var/log/apache2/access_cdnmh3000-nonssl.log" + +``` + +This works like this: +- the include redirects request to the /.well-known/acme-challenge path to localhost:9432 where your + ACME-worker shoud listen for requests +- All other requests will be redirect to the SSL-version of your site. + +E.g. with `acme.sh` you must specify then parameters `[OTHER STUFF] --issue --standalone --httpport 9432 -d [DOMAIN]` +at initial certificate request. Renews will automatically the also use the alternate httpport. + + + diff --git a/acme/snippets/acme.include b/acme/snippets/acme.include new file mode 100644 index 0000000..2a68347 --- /dev/null +++ b/acme/snippets/acme.include @@ -0,0 +1,2 @@ +ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge" timeout=10 retry=3 +ProxyPassReverse "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge"