[803f435] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
| 7 | <!ENTITY uacme-download-http
|
---|
[a774a7f3] | 8 | "https://github.com/ndilieto/uacme/archive/refs/tags/v&uacme-version;/uacme-&uacme-version;.tar.gz">
|
---|
[803f435] | 9 | <!ENTITY uacme-download-ftp " ">
|
---|
[a774a7f3] | 10 | <!ENTITY uacme-md5sum "0a8ff9a73e1d8006d4eee9908ca5f035">
|
---|
[803f435] | 11 | <!ENTITY uacme-size "250 KB">
|
---|
[a774a7f3] | 12 | <!ENTITY uacme-buildsize "4,2 MB">
|
---|
[803f435] | 13 | <!ENTITY uacme-time "0.1 SBU">
|
---|
| 14 | ]>
|
---|
| 15 |
|
---|
| 16 | <sect1 id="uacme" xreflabel="Uacme-&uacme-version;">
|
---|
| 17 | <?dbhtml filename="uacme.html"?>
|
---|
| 18 |
|
---|
| 19 | <title>Uacme-&uacme-version;</title>
|
---|
| 20 |
|
---|
| 21 | <indexterm zone="uacme">
|
---|
| 22 | <primary sortas="u-Uacme">Uacme</primary>
|
---|
| 23 | </indexterm>
|
---|
| 24 |
|
---|
| 25 | <sect2 role="package">
|
---|
| 26 | <title>Introduction to Uacme utility</title>
|
---|
| 27 |
|
---|
| 28 | <para>
|
---|
| 29 | The <application>Uacme</application> package contains an easy to
|
---|
| 30 | use utility to manage certificates provided by <literal>LetsEncrypt</literal>.
|
---|
| 31 | It is an alternative to the <application>certbot</application>.
|
---|
| 32 | </para>
|
---|
| 33 |
|
---|
[a774a7f3] | 34 | &lfs120_checked;
|
---|
[803f435] | 35 |
|
---|
| 36 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 37 | <itemizedlist spacing="compact">
|
---|
| 38 | <listitem>
|
---|
| 39 | <para>
|
---|
| 40 | Download (HTTP): <ulink url="&uacme-download-http;"/>
|
---|
| 41 | </para>
|
---|
| 42 | </listitem>
|
---|
| 43 | <listitem>
|
---|
| 44 | <para>
|
---|
| 45 | Download (FTP): <ulink url="&uacme-download-ftp;"/>
|
---|
| 46 | </para>
|
---|
| 47 | </listitem>
|
---|
| 48 | <listitem>
|
---|
| 49 | <para>
|
---|
| 50 | Download MD5 sum: &uacme-md5sum;
|
---|
| 51 | </para>
|
---|
| 52 | </listitem>
|
---|
| 53 | <listitem>
|
---|
| 54 | <para>
|
---|
| 55 | Download size: &uacme-size;
|
---|
| 56 | </para>
|
---|
| 57 | </listitem>
|
---|
| 58 | <listitem>
|
---|
| 59 | <para>
|
---|
| 60 | Estimated disk space required: &uacme-buildsize;
|
---|
| 61 | </para>
|
---|
| 62 | </listitem>
|
---|
| 63 | <listitem>
|
---|
| 64 | <para>
|
---|
| 65 | Estimated build time: &uacme-time;
|
---|
| 66 | </para>
|
---|
| 67 | </listitem>
|
---|
| 68 | </itemizedlist>
|
---|
| 69 | <!--
|
---|
| 70 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 71 | <itemizedlist spacing="compact">
|
---|
| 72 | <listitem>
|
---|
| 73 | <para>
|
---|
| 74 | Required patch:
|
---|
| 75 | <ulink url="&patch-root;/uacme-&uacme-version;-blfs_layout-1.patch"/>
|
---|
| 76 | </para>
|
---|
| 77 | </listitem>
|
---|
| 78 | </itemizedlist>
|
---|
| 79 | -->
|
---|
| 80 | <bridgehead renderas="sect3">Uacme Dependencies</bridgehead>
|
---|
| 81 |
|
---|
| 82 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
| 83 | <para role="required">
|
---|
| 84 | <xref linkend="curl"/>,
|
---|
| 85 | <xref linkend="gnutls"/> and
|
---|
| 86 | <xref linkend="apache"/> (runtime)
|
---|
| 87 | </para>
|
---|
| 88 | <!--
|
---|
| 89 | <bridgehead renderas="sect4">Recommended</bridgehead>
|
---|
| 90 | <para role="recommended">
|
---|
| 91 | <xref linkend="openssl"/>
|
---|
| 92 | </para>
|
---|
| 93 |
|
---|
| 94 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
| 95 | <para role="optional">
|
---|
| 96 | <xref linkend="brotli"/>,
|
---|
| 97 | <xref linkend="db"/>,
|
---|
| 98 | <xref linkend="doxygen"/>,
|
---|
| 99 | <xref linkend="libxml2"/>,
|
---|
| 100 | <xref linkend="lua"/>,
|
---|
| 101 | <xref linkend="lynx"/> or
|
---|
| 102 | <xref linkend="Links"/> or
|
---|
| 103 | <ulink url="&elinks-url;">ELinks</ulink>,
|
---|
| 104 | <xref linkend="nghttp2"/>,
|
---|
| 105 | <xref linkend="openldap"/> (<xref linkend="apr-util"/> needs to be
|
---|
| 106 | installed with ldap support),
|
---|
| 107 | <xref linkend="rsync"/>, and
|
---|
| 108 | <ulink url="https://sourceforge.net/projects/distcache">Distcache</ulink>
|
---|
| 109 | </para>
|
---|
| 110 | -->
|
---|
[a774a7f3] | 111 | <!--
|
---|
[803f435] | 112 | <para condition="html" role="usernotes">
|
---|
| 113 | User Notes: <ulink url="&blfs-wiki;/uacme"/>
|
---|
| 114 | </para>
|
---|
[a774a7f3] | 115 | -->
|
---|
[803f435] | 116 | </sect2>
|
---|
| 117 |
|
---|
| 118 | <sect2 role="installation">
|
---|
| 119 | <title>Installation of Uacme utility</title>
|
---|
| 120 |
|
---|
| 121 | <para>
|
---|
| 122 | First, fix a hard coded path to match the defaut settings of
|
---|
| 123 | the BLFS httpd installation:
|
---|
| 124 | </para>
|
---|
| 125 | <screen><userinput>sed -e "s;/var/www/;/srv/www/;" -i uacme.sh</userinput></screen>
|
---|
| 126 |
|
---|
| 127 | <para>
|
---|
| 128 | Build and install <application>Uacme</application> by running the
|
---|
| 129 | following commands:
|
---|
| 130 | </para>
|
---|
| 131 |
|
---|
| 132 | <screen><userinput>autoreconf &&
|
---|
| 133 | ./configure --prefix=/usr \
|
---|
| 134 | --disable-docs &&
|
---|
| 135 | make</userinput></screen>
|
---|
| 136 |
|
---|
| 137 | <para>
|
---|
| 138 | This package does not come with a test suite.
|
---|
| 139 | </para>
|
---|
| 140 |
|
---|
| 141 | <para>
|
---|
| 142 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
| 143 | </para>
|
---|
| 144 |
|
---|
| 145 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
| 146 |
|
---|
| 147 | </sect2>
|
---|
| 148 |
|
---|
| 149 | <sect2 role="commands">
|
---|
| 150 | <title>Command Explanations</title>
|
---|
| 151 |
|
---|
| 152 | <para>
|
---|
| 153 | <parameter>--disable-docs</parameter>: No rebuild of docs.
|
---|
| 154 | </para>
|
---|
| 155 |
|
---|
| 156 | </sect2>
|
---|
| 157 |
|
---|
| 158 | <sect2 role="configuration">
|
---|
| 159 | <title>Using Uacme</title>
|
---|
| 160 |
|
---|
| 161 | <note>
|
---|
| 162 | <para>
|
---|
| 163 | Make sure that your webserver works fine on http (port 80). It
|
---|
| 164 | might be checked by pointing the browser to the URL you want to
|
---|
| 165 | secure with the new certificate. In this example,
|
---|
| 166 | point the browser to http://www.your.domain.com and verify that
|
---|
| 167 | this produces the expected content.
|
---|
| 168 | </para>
|
---|
| 169 | <para>
|
---|
| 170 | This also means that the DNS setup should to be in place so
|
---|
| 171 | that names can be used instead of bare IP addresses. The
|
---|
| 172 | webserver has to be reachable from the internet.
|
---|
| 173 | </para>
|
---|
| 174 | </note>
|
---|
| 175 |
|
---|
| 176 | <para>
|
---|
| 177 | First, create an account and a private key. The directory
|
---|
| 178 | used in the subsequent command (<filename class="directory">/etc/uacme.d</filename>)
|
---|
| 179 | can be freely chosen. The certificates will be stored there
|
---|
| 180 | and the webserver must have read access to it.
|
---|
| 181 | </para>
|
---|
| 182 |
|
---|
| 183 | <screen><userinput role="nodump">uacme -v -c /etc/uacme.d new</userinput></screen>
|
---|
| 184 |
|
---|
| 185 | <para>
|
---|
| 186 | Next, initiate creating a certificate for your domain
|
---|
| 187 | </para>
|
---|
| 188 |
|
---|
| 189 | <screen><userinput role="nodump">uacme -v -c /etc/uacme.d issue www.your.domain.com</userinput></screen>
|
---|
| 190 |
|
---|
| 191 | <para>
|
---|
| 192 | Note that the program will stop a a specific point and waits
|
---|
| 193 | for input to continue. This waiting is required as a file
|
---|
| 194 | needs to be created manually according to the output of the
|
---|
| 195 | program. Look for a line which looks like
|
---|
| 196 | </para>
|
---|
| 197 |
|
---|
| 198 | <screen>uacme: challenge=http-01 ident=www.your.domain.com token=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 key_auth=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU</screen>
|
---|
| 199 |
|
---|
| 200 | <para>
|
---|
| 201 | Create a directory and a file within that directory in the
|
---|
| 202 | webserver's document root:
|
---|
| 203 | </para>
|
---|
| 204 |
|
---|
| 205 | <screen><userinput role="nodump">mkdir /srv/www/.well-known/acme-challenge
|
---|
| 206 | echo "kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU" \
|
---|
| 207 | > /srv/www/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4</userinput></screen>
|
---|
| 208 |
|
---|
| 209 | <para>
|
---|
| 210 | Both of that cryptic values can be taken from the output of
|
---|
| 211 | the <application>uacme</application> program. The filename is
|
---|
| 212 | the value of <emphasis>token</emphasis> and its content is
|
---|
| 213 | taken from <emphasis>key-auth</emphasis>.
|
---|
| 214 | </para>
|
---|
| 215 | <para>
|
---|
| 216 | After the file has been created, verify that the webserver has
|
---|
| 217 | access to it by pointing your browser to
|
---|
| 218 | <literal>http://www.your.domain.com/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4</literal>.
|
---|
| 219 | The value of the <emphasis>key-auth</emphasis> should appear as
|
---|
| 220 | simple text in your browser.
|
---|
| 221 | </para>
|
---|
| 222 | <para>
|
---|
| 223 | If done and the response in the browser is ok, press 'y' + Enter
|
---|
| 224 | and the program will continue to run. When finished, the
|
---|
| 225 | certificate is placed in
|
---|
| 226 | <filename class="directory">/etc/uacme.d/www.your.domain.com/cert.pem</filename> and
|
---|
| 227 | the private key is stored in
|
---|
| 228 | <filename class="directory">/etc/uacme.d/private/www.your.domain.com/key.pem</filename>.
|
---|
| 229 | The well-known directory can now be deleted as its content is
|
---|
| 230 | usable only one time so there is no use in keeping it:
|
---|
| 231 | </para>
|
---|
| 232 |
|
---|
| 233 | <screen><userinput role="nodump">rm -rf /srv/www/.well-known</userinput></screen>
|
---|
| 234 |
|
---|
| 235 | <para>
|
---|
| 236 | Next steps will be to switch off the http protocol in the
|
---|
| 237 | webserver except there are good reasons to keep it available.
|
---|
| 238 | Configure the webserver to use the created certificate
|
---|
| 239 | for https.
|
---|
| 240 | </para>
|
---|
| 241 |
|
---|
| 242 | </sect2>
|
---|
| 243 |
|
---|
| 244 | <sect2 role="content">
|
---|
| 245 | <title>Contents</title>
|
---|
| 246 |
|
---|
| 247 | <segmentedlist>
|
---|
| 248 | <segtitle>Installed Programs</segtitle>
|
---|
| 249 | <segtitle>Installed Libraries</segtitle>
|
---|
| 250 | <segtitle>Installed Directories</segtitle>
|
---|
| 251 |
|
---|
| 252 | <seglistitem>
|
---|
| 253 | <seg>
|
---|
| 254 | uacme, ualpn
|
---|
| 255 | </seg>
|
---|
| 256 | <seg>
|
---|
| 257 | none
|
---|
| 258 | </seg>
|
---|
| 259 | <seg>
|
---|
| 260 | /usr/share/uacme
|
---|
| 261 | </seg>
|
---|
| 262 | </seglistitem>
|
---|
| 263 | </segmentedlist>
|
---|
| 264 | <!--
|
---|
| 265 | <variablelist>
|
---|
| 266 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 267 | <?dbfo list-presentation="list"?>
|
---|
| 268 | <?dbhtml list-presentation="table"?>
|
---|
| 269 |
|
---|
| 270 | <varlistentry id="uacme">
|
---|
| 271 | <term><command>uacme</command></term>
|
---|
| 272 | <listitem>
|
---|
| 273 | <para>
|
---|
| 274 | is a tool for building and installing extension modules for the
|
---|
| 275 | <application>Apache</application> HTTP server
|
---|
| 276 | </para>
|
---|
| 277 | <indexterm zone="uacme uacme">
|
---|
| 278 | <primary sortas="b-uacme">uacme</primary>
|
---|
| 279 | </indexterm>
|
---|
| 280 | </listitem>
|
---|
| 281 | </varlistentry>
|
---|
| 282 |
|
---|
| 283 | <varlistentry id="ualpn">
|
---|
| 284 | <term><command>ualpn</command></term>
|
---|
| 285 | <listitem>
|
---|
| 286 | <para>
|
---|
| 287 | is a tool for building and installing extension modules for the
|
---|
| 288 | <application>Apache</application> HTTP server
|
---|
| 289 | </para>
|
---|
| 290 | <indexterm zone="ualpn ualpn">
|
---|
| 291 | <primary sortas="b-ualpn">ualpn</primary>
|
---|
| 292 | </indexterm>
|
---|
| 293 | </listitem>
|
---|
| 294 | </varlistentry>
|
---|
| 295 | </variablelist>
|
---|
| 296 | -->
|
---|
| 297 | </sect2>
|
---|
| 298 |
|
---|
| 299 | </sect1>
|
---|