ACME: Difference between revisions
m Deduplicate sentence. |
WoutSwinkels (talk | contribs) |
||
| Line 2: | Line 2: | ||
== Setup == | == Setup == | ||
=== DNS-01 Challenge === | |||
Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined. | Following example setup generates certificates using DNS validation. [https://letsencrypt.org/repository/ Let's Encrypt ToS] has to be accepted. Further the contact mail <code>admin+acme@example.com</code> is defined. | ||
| Line 37: | Line 38: | ||
}; | }; | ||
}; | }; | ||
</syntaxhighlight> | |||
=== HTTP-01 Challenge === | |||
Besides DNS validation it is also possible to obtain certificates by placing a file on your webserver at <code>http://example.org/.well-known/acme-challenge</code>. Instead of using the <code>dnsProvider</code> option, we use the <code>webroot</code> option. | |||
<syntaxhighlight lang="nix"> | |||
security.acme = { | |||
acceptTerms = true; | |||
defaults.email = "admin@example.org"; | |||
certs."example.org" = { | |||
# An acme system user is created. This user belongs to the acme group and the home directory is /var/lib/acme. | |||
# This user will try to make the directory .well-known/acme-challenge/ under the webroot directory. | |||
webroot = "/var/lib/acme"; | |||
}; | |||
}; | |||
</syntaxhighlight> | |||
We need to make sure that our webserver knows where to redirect <code>http://example.org/.well-known/acme-challenge</code> to. If you use [[Nginx|nginx]] this can be done as follows: | |||
<syntaxhighlight lang="nginx"> | |||
location /.well-known/acme-challenge/ { | |||
rewrite /.well-known/acme-challenge/(.*) /$1 break; | |||
root /var/lib/acme/.well-known/acme-challenge; | |||
} | |||
</syntaxhighlight> | </syntaxhighlight> | ||