github-repos/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-03-26 19:00:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

expand on non-root sudo procedure with nginx examples

nic 2022-06-09 20:14:23 -05:00
parent 3f750439dd
commit 074edeb017
1 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
sudo.md

@ -29,5 +29,86 @@ acme.sh --issue -d .....
Now, if you are completely sure of the issues and the possibilities with the usage of `sudo` and still want to use it, you can pass the `--force` parameter to work with sudo.
# Process
YMMV based on Linux distribution and method of installing acme.sh
## create non-root account
For this example, we use "acme" but you can use whatever you'd like.
```
useradd -d /etc/acme-sh/ -s /sbin/nologin -c "acme-sh service account" acme
chown acme:mail /etc/acme-sh/
```
## define crontab for non-root account
```
su - -s /bin/bash acme
crontab -e
```
Adjust path to your acme.sh installation script
```
12 0 * * * /usr/share/acme.sh/acme.sh --cron --home "/etc/acme-sh" > /dev/null
```
## Webserver issue method
When using the webserver method, you need to define the directories acme.sh writes to and adjust ownership to our non-root account. While monitoring the issue event logs, you might observer additional file structure permission errors when ran as non-root. From our experiences, those can be ignored as the script does not hard fail as the important directories and files creation is functional. Maybe this is where the --force should be used?
```
mkdir -p /var/www/EXAMPLE.COM/htdocs/.well-known/acme-challenge
chown acme:acme /var/www/EXAMPLE.com/htdocs/.well-known/acme-challenge
```
## nginx config
You probably already have a web daemon configuration file for your application. If you are running a mail server, you need a basic http port 80 server for acme.sh
/etc/nginx/conf.d/example.com.conf
```
server {
listen [::]:80;
listen 80;
server_name EXAMPLE.COM;
access_log /var/log/nginx/EXAMPLE.COM.access_log main;
error_log /var/log/nginx/EXAMPLE.COM.error_log info;
root /var/www/EXAMPLE.COM/htdocs;
}
```
## Register and Issue
There are more detailed instructions within the documentation and wiki for this process. This is a brief example.
```
acme.sh --register-account -m admin@example.com
acme.sh --debug --issue -d mail.example.com -d foo.example.com -d -d bar.example.com -w /var/www/EXAMPLE.COM/htdocs
```
## visudo
This grants our non-root service account super user rights to restart services during certificate renewals.
```
visudo
````
Insert this line, adjust to your deployment use-cases and sudo version
```
acme ALL=(ALL:ALL) NOPASSWD: /etc/init.d/postfix restart, /etc/init.d/dovecot restart
```
## Install
Create a new directory which our non-root account can write certificates into.
```
mkdir /etc/ssl/acme
chown acme:acme /etc/ssl/acme
```
These restart commands should match what you defined in visudo above
```
acme.sh --installcert -d mail.example.com --keypath /etc/ssl/acme/example.com.key --capath /etc/ssl/acme/example.com.ca --fullchainpath /etc/ssl/acme/example.com.crt --reloadcmd "sudo /etc/init.d/postfix restart && sudo /etc/init.d/dovecot restart"
```
## cleanup (optional)
Your distro might place a global bashrc script. This is not needed.
```
rm /etc/bash/bashrc.d/acme.sh
```