Reorg ACME-Stuff

acme/send-cert.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Add to authorized_keys
+# command="/opt/acme/send-cert.sh gitea.mh3000.net 192.168.61.15" s
+
+
+if [ "$(echo $SSH_CLIENT | cut -d ' ' -f 1)" != "$2" ]; then
+  echo Invalid IP
+fi
+
+echo ""
+sudo bash -c "cd /var/lib/acme/$1 || exit 1; tar czf -  *.cer *.key | base64" 2> /dev/null
+echo ""
+
+

acme/snippets/README.md

@@ -0,0 +1,25 @@
+### acme.include
+
+Include which redirects requests which are actually for the _ACME/Let's encrypt_ .
+This way you can have apache running on port 80, but still process request from the _Let's encrypt_ service 
+which also come to port 80.
+
+Example apache definition for a typical HTTP/80-virtual server would look like this now:
+```
+<VirtualHost cdn.mh3000.net:80>
+        Include /etc/apache2/vhosts.d/acme.include        
+        RedirectMatch permanent ^(.*)$ https://cdn.mh3000.net/
+        TransferLog "/var/log/apache2/access_cdnmh3000-nonssl.log"
+</VirtualHost>
+```
+
+This works like this:
+- the include redirects request to the /.well-known/acme-challenge path to localhost:9432 where your
+  ACME-worker shoud listen for requests
+- All other requests will be redirect to the SSL-version of your site.
+
+E.g. with `acme.sh` you must specify then parameters `[OTHER STUFF] --issue --standalone  --httpport 9432 -d [DOMAIN]`
+at initial certificate request. Renews will automatically the also use the alternate httpport.
+
+
+

acme/snippets/acme.include

@@ -0,0 +1,2 @@
+ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge" timeout=10 retry=3
+ProxyPassReverse "/.well-known/acme-challenge" "http://127.0.0.1:9432/.well-known/acme-challenge"