The setup is done in a way that uWSGI will serve acme2certifier while NGINX will act as reverse proxy to provide better connection handling.
A readymade shell script performing the below tasks will can be found in the examples/install_scripts
directory.
- download the archive and unpack it into a temporary directory.
cd /tmp
curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
tar xvfz a2c-master.tgz
cd /tmp/acme2certifier-master
- Install missing packages
sudo yum install -y epel-release
sudo yum update -y
sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils
- Setup your project directory
sudo mkdir /opt/acme2certifier
- Install the missing python modules
sudo pip install -r /opt/acme2certifier/requirements.txt
- create a configuration file
acme_srv.cfg
in/opt/acme2certifier/acme_srv/
or use the example stored in the examples directory - modify the configuration file according to you needs
- set the
handler_file
parameter inacme_srv.cfg
or copy the correct ca handler from/opt/acme2certifier/examples/ca_handler directory
to/opt/acme2certifier/acme_srv/ca_handler.py
- configure the connection to your ca server. Example for Insta Certifier
- activate the wsgi database handler
sudo cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py
- copy the application file "acme2certifer_wsgi.py" from examples directory
sudo cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/
- set the correct permissions to the acme_srv-subdirectory
sudo chmod a+x /opt/acme2certifier/acme_srv
- set the ownership of the acme_srv subdirectory to the user running nginx
sudo chown -R nginx /opt/acme2certifier/acme_srv
- Test acme2certifier by starting the application
cd /opt/acme2certifier
sudo uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py
- Check access to directory resource in a parallel session to verify that everything works so far
curl http://127.0.0.1:8000/directory
{"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <[email protected]>"}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"}$
- create an uWSGI config file or use the one stored in examples/nginx directory
sudo cp examples/nginx/acme2certifier.ini /opt/acme2certifier
- activate python3 module in uWSGI config file
sudo echo "plugins = python3" >> examples/nginx/acme2certifier.ini
- Create a Systemd Unit File for uWSGI or use the one stored in excample/nginx directory
sudo cp examples/nginx/uwsgi.service /etc/systemd/system/
sudo systemctl enable uwsgi.service
- start uWSGI as service
sudo systemctl start uwsgi
- configure NGINX as reverse proxy or use example stored in examples/nginx directory and modify it according to your needs
sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
- restart nginx
sudo systemctl restart nginx
- adapt SELinux configuration by applying a customized policy allowing nginx to communicate with uwsgi by using Unix sockets
sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
sudo semodule -i acme2certifier.pp
- test the server by accessing the directory resource
curl http://<your server name>/directory
The above command should result in an error as the Selinx configuration needs to be adapted.