ACME: Difference between revisions

Line 2:

== Setup ==

Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.

Line 22:

Line 23:

Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option.

The next example issues a wildcard certificate and uses Cloudflare for validation. We're also adding the group "nginx" here so that the certificate files can be used by nginx later on.<syntaxhighlight lang="nix">

security.acme = {

acceptTerms = true;

defaults.email = "admin@example.org";

certs = {

"example.org" = {

domain = "*.example.org";

group = "nginx";

dnsProvider = "cloudflare";

# location of your CLOUDFLARE_DNS_API_TOKEN=[value]

# https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=

environmentFile = "/home/admin/cloudflare";

};

</syntaxhighlight>

== Usage ==

Line 35:

Line 53:

security.acme.certs."example.org".group = config.services.nginx.group;

</syntaxhighlight>Resulting in the following files and permissions<syntaxhighlight lang="bash">

lrwxrwxrwx 1 acme nginx 13 Aug 4 12:57 cert.pem -> fullchain.pem

-rw-r----- 1 acme nginx 1567 Aug 4 12:57 chain.pem

-rw-r----- 1 acme nginx 2865 Aug 4 12:57 fullchain.pem

-rw-r----- 1 acme nginx 3092 Aug 4 12:57 full.pem

-rw-r----- 1 acme nginx 227 Aug 4 12:57 key.pem

</syntaxhighlight>

@@ Line 2: / Line 2: @@
 == Setup ==
+Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.
 Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined.
@@ Line 22: / Line 23: @@
 Certificates are getting generated for the domain <code>mx1.example.org</code> using the DNS provider <code>inwx</code>. See [https://go-acme.github.io/lego/dns upstream documentation] on available providers and their specific configuration for the <code>credentialsFile</code> option.
+The next example issues a wildcard certificate and uses Cloudflare for validation. We're also adding the group "nginx" here so that the certificate files can be used by nginx later on.<syntaxhighlight lang="nix">
+security.acme = {
+  acceptTerms = true;
+  defaults.email = "admin@example.org";
+  certs = {
+    "example.org" = {
+      domain = "*.example.org";
+      group = "nginx";
+      dnsProvider = "cloudflare";
+      # location of your CLOUDFLARE_DNS_API_TOKEN=[value]
+      # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=
+      environmentFile = "/home/admin/cloudflare";
+    };
+  };
+};
+</syntaxhighlight>
 == Usage ==
@@ Line 35: / Line 53: @@
 <syntaxhighlight lang="nix">
 security.acme.certs."example.org".group = config.services.nginx.group;
+</syntaxhighlight>Resulting in the following files and permissions<syntaxhighlight lang="bash">
+lrwxrwxrwx 1 acme nginx   13 Aug  4 12:57 cert.pem -> fullchain.pem
+-rw-r----- 1 acme nginx 1567 Aug  4 12:57 chain.pem
+-rw-r----- 1 acme nginx 2865 Aug  4 12:57 fullchain.pem
+-rw-r----- 1 acme nginx 3092 Aug  4 12:57 full.pem
+-rw-r----- 1 acme nginx  227 Aug  4 12:57 key.pem
 </syntaxhighlight>