You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

167 lines
6.4 KiB

8 years ago
8 years ago
  1. # Using deploy api
  2. Here are the scripts to deploy the certs/key to the server/services.
  3. ## 1. Deploy the certs to your cpanel host.
  4. (cpanel deploy hook is not finished yet, this is just an example.)
  5. Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
  6. Then you can deploy now:
  7. ```sh
  8. export DEPLOY_CPANEL_USER=myusername
  9. export DEPLOY_CPANEL_PASSWORD=PASSWORD
  10. acme.sh --deploy -d example.com --deploy --deploy-hook cpanel
  11. ```
  12. ## 2. Deploy ssl cert on kong proxy engine based on api.
  13. Before you can deploy your cert, you must [issue the cert first](https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert).
  14. (TODO)
  15. ## 3. Deploy the cert to remote server through SSH access.
  16. The ssh deploy plugin allows you to deploy certificates to a remote host
  17. using SSH command to connect to the remote server. The ssh plugin is invoked
  18. with the following command...
  19. ```sh
  20. acme.sh --deploy -d example.com --deploy-hook ssh
  21. ```
  22. Prior to running this for the first time you must tell the plugin where
  23. and how to deploy the certificates. This is done by exporting the following
  24. environment variables. This is not required for subsequent runs as the
  25. values are stored by acme.sh in the domain configuration files.
  26. Required...
  27. ```
  28. export ACME_DEPLOY_SSH_USER=username
  29. ```
  30. Optional...
  31. ```
  32. export ACME_DEPLOY_SSH_CMD=custom ssh command
  33. export ACME_DEPLOY_SSH_SERVER=url or ip address of remote host
  34. export ACME_DEPLOY_SSH_KEYFILE=filename for private key
  35. export ACME_DEPLOY_SSH_CERTFILE=filename for certificate file
  36. export ACME_DEPLOY_SSH_CAFILE=filename for intermediate CA file
  37. export ACME_DEPLOY_SSH_FULLCHAIN=filename for fullchain file
  38. export ACME_DEPLOY_SSH_REMOTE_CMD=command to execute on remote host
  39. export ACME_DEPLOY_SSH_BACKUP=yes or no
  40. ```
  41. **ACME_DEPLOY_SSH_USER**
  42. Username at the remote host that SSH will login with. Note that
  43. SSH must be able to login to remote host without a password... SSH Keys
  44. must have been exchanged with the remote host. Validate and test that you
  45. can login to USER@URL from the host running acme.sh before using this script.
  46. The USER@URL at the remote server must also have has permissions to write to
  47. the target location of the certificate files and to execute any commands
  48. (e.g. to stop/start services).
  49. **ACME_DEPLOY_SSH_CMD**
  50. You can customize the ssh command used to connect to the remote host. For example
  51. if you need to connect to a specific port at the remote server you can set this
  52. to, for example, "ssh -p 22" or to use `sshpass` to provide password inline
  53. instead of exchanging ssh keys (this is not recommended, using keys is
  54. more secure).
  55. **ACME_DEPLOY_SSH_SERVER**
  56. URL or IP Address of the remote server. If not provided then the domain
  57. name provided on the acme.sh --deploy command line is used.
  58. **ACME_DEPLOY_SSH_KEYFILE**
  59. Target filename for the private key issued by LetsEncrypt.
  60. **ACME_DEPLOY_SSH_CERTFILE**
  61. Target filename for the certificate issued by LetsEncrypt.
  62. If this is the same as the previous filename (for keyfile) then it is
  63. appended to the same file.
  64. **ACME_DEPLOY_SSH_CAFILE**
  65. Target filename for the CA intermediate certificate issued by LetsEncrypt.
  66. If this is the same as a previous filename (for keyfile or certfile) then
  67. it is appended to the same file.
  68. **ACME_DEPLOY_SSH_FULLCHAIN**
  69. Target filename for the fullchain certificate issued by LetsEncrypt.
  70. If this is the same as a previous filename (for keyfile, certfile or
  71. cafile) then it is appended to the same file.
  72. **ACME_DEPLOY_SSH_REMOTE_CMD**
  73. Command to execute on the remote server after copying any certificates. This
  74. could be any additional command required for example to stop and restart
  75. the service.
  76. **ACME_DEPLOY_SSH_BACKUP**
  77. Before writing a certificate file to the remote server the existing
  78. certificate will be copied to a backup directory on the remote server.
  79. These are placed in a hidden directory in the home directory of the SSH
  80. user
  81. ```sh
  82. ~/.acme_ssh_deploy/[domain name]-backup-[timestamp]
  83. ```
  84. Any backups older than 180 days will be deleted when new certificates
  85. are deployed. This defaults to "yes" set to "no" to disable backup.
  86. ###Eamples using SSH deploy
  87. The following example illustrates deploying certifcates to a QNAP NAS
  88. (tested with QTS version 4.2.3)
  89. ```sh
  90. export ACME_DEPLOY_SSH_USER="admin"
  91. export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
  92. export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
  93. export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
  94. export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
  95. acme.sh --deploy -d qnap.example.com --deploy-hook ssh
  96. ```
  97. Note how in this example both the private key and certificate point to
  98. the same file. This will result in the certificate being appended
  99. to the same file as the private key... a common requirement of several
  100. services.
  101. The next example illustates deploying certificates to a Unifi
  102. Contolller (tested with version 5.4.11).
  103. ```sh
  104. export ACME_DEPLOY_SSH_USER="root"
  105. export ACME_DEPLOY_SSH_KEYFILE="/var/lib/unifi/unifi.example.com.key"
  106. export ACME_DEPLOY_SSH_FULLCHAIN="/var/lib/unifi/unifi.example.com.cer"
  107. export ACME_DEPLOY_SSH_REMOTE_CMD="openssl pkcs12 -export \
  108. -inkey /var/lib/unifi/unifi.example.com.key \
  109. -in /var/lib/unifi/unifi.example.com.cer \
  110. -out /var/lib/unifi/unifi.example.com.p12 \
  111. -name ubnt -password pass:temppass \
  112. && keytool -importkeystore -deststorepass aircontrolenterprise \
  113. -destkeypass aircontrolenterprise \
  114. -destkeystore /var/lib/unifi/keystore \
  115. -srckeystore /var/lib/unifi/unifi.example.com.p12 \
  116. -srcstoretype PKCS12 -srcstorepass temppass -alias ubnt -noprompt \
  117. && service unifi restart"
  118. acme.sh --deploy -d unifi.example.com --deploy-hook ssh
  119. ```
  120. In this exmple we execute several commands on the remote host
  121. after the certificate files have been copied... to generate a pkcs12 file
  122. compatible with Unifi, to import it into the Unifi keystore and then finaly
  123. to restart the service.
  124. Note also that once the certificate is imported
  125. into the keystore the individual certificate files are no longer
  126. required. We could if we desired delete those files immediately. If we
  127. do that then we should disable backup at the remote host (as there are
  128. no files to backup -- they were erased during deployment). For example...
  129. ```sh
  130. export ACME_DEPLOY_SSH_BACKUP=no
  131. # modify the end of the remote command...
  132. && rm /var/lib/unifi/unifi.example.com.key \
  133. /var/lib/unifi/unifi.example.com.cer \
  134. /var/lib/unifi/unifi.example.com.p12 \
  135. && service unifi restart
  136. ```