Getting acme.sh from Git
Now, we need to grab the acme.sh script from Git:
- First, we need to install Git with the following command:
dnf install -y git
- Next, let’s make a directory called acme:
mkdir acme
- Now, we can clone from the official Git site (https://github.com/acmesh-official/acme.sh) with the following command:
git clone https://github.com/acmesh-official/acme.sh.git
And then run the installer, updating your direcotry and email address as needed.
/root/acme/acme.sh –install -m [email protected]
Creating a cert using the webroot mode
- Next, let’s register for an account, passing an email address as the variable:
/root/acme/acme.sh/acme.sh –register-account -m [email protected]
[Sun Apr 2 22:02:01 GMT 2023] No EAB credentials found for ZeroSSL, let’s get one
[Sun Apr 2 22:02:02 GMT 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Apr 2 22:02:03 GMT 2023] Registered
[Sun Apr 2 22:02:03 GMT 2023] ACCOUNT_THUMBPRINT=’QPU6rxYiTHrRkweBPKtAhUqnflvlBSdl0Xu4N89JhyY’
Save the ACCOUNT_THUMBPRINT for future use. This is also saved in ./ca/acme.zerossl.com/v2/DV90/ca.conf.
- Now, we can run the script, passing the URL and the apache home directory for the site:
./acme.sh –issue -d ssltest.talesfromthedatacenter.com –log
The following figure shows the command running with the new certificate being installed by the script.
Figure 9.4 – Certificate to be installed
The script will restart Apache.
Testing
- You can now go to the site with an HTTPS. You will see a padlock in the left side of the address bar. The site is now secure. This is seen in the following figure:
Figure 9.5 – SSL keys installed
How it works…
The way this works is the acme.sh script generates a temporary key file and places it in the .well-know/acme-challenge directory. The system then queries from the internet to the server to get the file. If it can get to the file, the test passes and new keys are issued. It is important to monitor this, as third-party security software or SELinux can impact your ability to get to the temporary key file.
Now that the certificate is set up, there is one task left to do to make this a refresh. You can easily have the system check daily for a new certificate by adding in the following cron job. As a note, you will need to adjust the location of the script based on where you installed it. In this case, it was installed in /home/acme/.acme.sh:
0 0 * * * /home/acme/.acme.sh/acme.sh –cron –home /home/acme/.acme.sh > /dev/null
NOTE
When using keys that automatically update, it is highly recommended to monitor your sites consistently for SSL errors. Ideally, you are checking for SSL errors once an hour just in case things break. Look in the web server’s SSL logs and also run a check with a tool such as wget or curl to verify that the site is running. Both wget and curl will fail with an error if the SSL key is invalid.
