Versions Compared

Old Version 19

changes.mady.by.user Ole Ernst

Saved on

compared with

New Version Current

changes.mady.by.user Ole Ernst

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
# install acme-tiny
yum install acme-tiny

# generate an account.key - if you don't have it yet - otherwise just move it into this location
openssl genrsa 4096 > /var/lib/acme/private/account.key

# set the correct permissions
chown acme:acme /var/lib/acme/private/account.key
chmod 0400 /var/lib/acme/private/account.key

# create a private key and a key signing request for the domain demo.nmsprime.com
cn='demo.nmsprime.com'
# EITHER generate a certificate signing request for $cn only
openssl req -new -nodes -keyout "/etc/pki/tls/private/$cn.key" -subj "/CN=$cn" -out "/var/lib/acme/csr/$cn.csr"
# OR generate a certificate signing request for multiple hostnames (e.g. $cn and www.$cn)
openssl req -new -nodes -keyout "/etc/pki/tls/private/$cn.key" -subj "/" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$cn,DNS:www.$cn")) -out "/var/lib/acme/csr/$cn.csr"
chmod 0400 "/etc/pki/tls/private/$cn.key"
chmod 0644 "/var/lib/acme/csr/$cn.csr"

# download currently active intermediate certificate, please check its validity against https://letsencrypt.org/certificates
curl -L -o /var/lib/acme/lets-encrypt-r3r10.pem https://letsencrypt.org/certs/lets-encrypt-r32024/r10.pem

# reload apache, and run the script
systemctl reload httpd
systemctl enable acme-tiny.timer
systemctl start acme-tiny.timer

# for a later renewal of certificates (in case you add more subdomains) you can use this
systemctl restart acme-tiny.service

# check your logs (journalctl or /var/log/messages) to see if everything went fine, if so adapt you nmsprime apache conf
# restart acme-tiny in case sth failed by: systemctl restart acme-tiny.service
sed -e "s|SSLCertificateFile.*|SSLCertificateFile /var/lib/acme/certs/$cn.crt|" \
    -e "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/pki/tls/private/$cn.key\n\
    SSLCertificateChainFile /var/lib/acme/lets-encrypt-r3r10.pem|" \
    -i /etc/httpd/conf.d/nmsprime-{acs,admin,ccc}.conf

# to use the new certificates, reload apache
systemctl reload httpd

# remove unused self-signed certificates
rm /etc/httpd/ssl/httpd.{key,pem}
rmdir /etc/httpd/ssl

...