A readymade shell script performing the below tasks will can be found in examples/install_scripts
directory.
-
Install apache2 and the corresponding wsgi module $ sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi
-
check if the wsgi module is activated in your apache configuration
sudo apache2ctl -M | grep -i wsgi
wsgi_module (shared)
if the wsgi_module is not enabled please check the internet how to do...
-
download the acme2certifier from master and unpack it.
-
install the missing modules via pip
sudo pip3 install -r requirements.txt
-
copy the file
examples/apache2/apache_wsgi.conf
to/etc/apache2/sites-available/acme2certifier.conf
and modify it according to you needs. -
in case you would like to activate TLS copy the file
examples/acme_wsgi_ssl.conf
to/etc/apache2/sites-available/acme2certifier.conf
and modify it according to your needs. Do not forget to place the key-bundle. This file must contain the following certificate data in pem format:
- the private key
- the end-entity certificate
- intermediate CA certificates, sorted from leaf to root (root CA certificate should not be included for security reasons)
Further, the ssl module needs to be activated
sudo a2enmod ssl
- activate the virtual server(s)
sudo a2ensite acme2certifier.conf
sudo a2ensite acme2certifier_ssl.conf
- create a directory
/var/www/acme2certifier
- copy the file
examples/acme2certifier_wsgi.py
to/var/www/acme2certifier
- copy the directories
examples/ca_hander/
,examples/eab_handler/
,examples/hooks/
andtools
to/var/www/acme2certifier/
sudo mkdir /var/www/acme2certifier/examples
sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
sudo cp -R examples/acme_srv.cfg /var/www/acme2certifier/examples/
sudo cp -R tools/ /var/www/acme2certifier/tools
- create a directory
/var/www/acme2certifier/acme_srv
- copy the content of the
acme_srv
directory to/var/www/acme2certifier/acme_srv
sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
- create a configuration file
acme_srv.cfg
in /var/www/acme2certfier/acme or use the example stored in the examples directory - modify the configuration file according to you needs
- Optional: pick the correct ca handler from
the examples/ca_handler
directory and copy it to/var/www/acme2certifier/acme_srv/ca_handler.py
- configure the the ca_handler in
acme_srv.cfg
. Example for Insta Certifier - activate the wsgi database handler
sudo cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme_srv/acme2certfier/db_handler.py
- ensure that the all files and directories under /var/www/acme2certifier are owned by the user running the webserver (www-data is just an example!)
sudo chown -R www-data.www-data /var/www/acme2certifier/
- set correct permissions to acme subdirectory
sudo chmod a+x /var/www/acme2certifier/acme_srv
- delete default apache configuration file and restart the apache2 service
sudo rm /etc/apache2/sites-enabled/000-default.conf
sudo systemctl reload apache2
- Check access to the directory resource to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1/directory
{"newAccount": "http://127.0.0.1/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1/acme_srv/key-change", "newNonce": "http://127.0.0.1/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <[email protected]>"}, "newOrder": "http://127.0.0.1/acme_srv/neworders", "revokeCert": "http://127.0.0.1/acme_srv/revokecert"}[root@srv ~]#
Try to enroll a certificate by using your favorite acme-client. If it fails check the configuration of your ca_handler, logs and enable debug mode in acme2certifier for further investigation.