Skip to content

ArchangeGabriel/acme-user

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

acme-user

These are scripts and configuration files to run acme-tiny unpriviledged as much as possible under systemd systems.

Initial set-up

This is based upon upstream README, refer to it for details.

After generating or converting your account private key, store it as

/etc/acme/accountkey.pem

and set permission/ownership to 440 acme:acme.

The ${domain} private key should be stored as

/etc/acme/${domain}/privkey.pem

and have permission/ownership to 400 root:root, but actually acme-tiny does not use it once the CSR is generated, so these are just general recommandations.

However the CSR must be stored as

/etc/acme/${domain}/csr.pem

and be 440 acme:acme.

One important modification here: the files are expected to reside under /var/lib/acme/. The folder is created by the systemd-tmpfiles config, but you need to setup your HTTP server correctly for this path.

Here we deviate a bit from upstream because we use a dedicated system user (that is the point of this project) and need to adapt ownership and permissions.

  1. Get the certificate:
sudo -u acme sh -c "/usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr /etc/acme/${domain}/csr.pem --acme-dir /var/lib/acme/ > /etc/acme/${domain}/fullchain.pem"
  1. Fix permissions:
sudo chown root:root /etc/acme/${domain}/fullchain.pem
sudo chmod 444 /etc/acme/${domain}/fullchain.pem

Renewal setup

Just enable the acme.timer systemd timer.

Services reloading

Most server services need to be reloaded or restarted in order to take into account a renewed certificate. You can have the systemd service automatically do so by adding a drop-in override:

[Service]
ExecStartPost=/usr/bin/systemctl try-reload-or-restart <space separated list of services>

For instance, an usual <space separated list of services> on a mail server might be nginx smtpd dovecot.

About

Scripts and configuration files to run acme-tiny unpriviledged

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages