NixOS Wiki

ACME: Difference between revisions

← Older edit
Visual
Sandro (talk | contribs)
53 edits
Improve group wording
WoutSwinkels (talk | contribs)
trusted
5 edits
 
(4 intermediate revisions by 3 users not shown)
Line 2: Line 2:


== Setup ==
== Setup ==
 
=== DNS-01 Challenge ===
Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.
Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.


Line 22: Line 22:


Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option.
Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option.
The next example issues a wildcard certificate and uses Cloudflare for validation. We're also adding the group "nginx" here so that the certificate files can be used by nginx later on.<syntaxhighlight lang="nix">
security.acme = {
  acceptTerms = true;
  defaults.email = "admin@example.org";
  certs = {
    "example.org" = {
      domain = "*.example.org";
      group = "nginx";
      dnsProvider = "cloudflare";
      # location of your CLOUDFLARE_DNS_API_TOKEN=[value]
      # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=
      environmentFile = "/home/admin/cloudflare";
    };
  };
};
</syntaxhighlight>
=== HTTP-01 Challenge ===
Besides DNS validation it is also possible to obtain certificates by placing a file on your webserver at <code>http://example.org/.well-known/acme-challenge</code>. Instead of using the <code>dnsProvider</code> option, we use the <code>webroot</code> option.
<syntaxhighlight lang="nix">
security.acme = {
  acceptTerms = true;
  defaults.email = "admin@example.org";
  certs."example.org" = {
    # An acme system user is created. This user belongs to the acme group and the home directory is /var/lib/acme.
    # This user will try to make the directory .well-known/acme-challenge/ under the webroot directory.
    webroot = "/var/lib/acme";
  };
};
</syntaxhighlight>
We need to make sure that our webserver knows where to redirect <code>http://example.org/.well-known/acme-challenge</code> to. If you use [[Nginx|nginx]] this can be done as follows:
<syntaxhighlight lang="nginx">
location /.well-known/acme-challenge/ {
  rewrite /.well-known/acme-challenge/(.*) /$1 break;
  root /var/lib/acme/.well-known/acme-challenge;
}
</syntaxhighlight>


== Usage ==
== Usage ==
Line 28: Line 69:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.acme.certs."mx1.example.org".group = "maddy";
security.acme.certs."example.org".group = "nginx";
</syntaxhighlight>
</syntaxhighlight>


Line 34: Line 75:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
security.acme.certs."mx1.example.org".group = config.services.maddy.group;
security.acme.certs."example.org".group = config.services.nginx.group;
</syntaxhighlight>Resulting in the following files and permissions<syntaxhighlight lang="bash">
lrwxrwxrwx 1 acme nginx  13 Aug  4 12:57 cert.pem -> fullchain.pem
-rw-r----- 1 acme nginx 1567 Aug  4 12:57 chain.pem
-rw-r----- 1 acme nginx 2865 Aug  4 12:57 fullchain.pem
-rw-r----- 1 acme nginx 3092 Aug  4 12:57 full.pem
-rw-r----- 1 acme nginx  227 Aug  4 12:57 key.pem
</syntaxhighlight>
</syntaxhighlight>


Retrieved from "https://wiki.nixos.org/wiki/ACME"