%general-entities; ]> Uacme The Uacme package contains an easy to use utility to manage certificates provided by LetsEncrypt. It is an alternative to the certbot. &lfs122_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &uacme-md5sum; Download size: &uacme-size; Estimated disk space required: &uacme-buildsize; Estimated build time: &uacme-time; Uacme Dependencies Required , and (runtime) First, fix a hard coded path to match the defaut settings of the BLFS httpd installation: sed -e "s;/var/www/;/srv/www/;" -i uacme.sh Build and install Uacme by running the following commands: autoreconf && ./configure --prefix=/usr \ --disable-docs && make This package does not come with a test suite. Now, as the root user: make install --disable-docs: No rebuild of docs. Make sure that your webserver works fine on http (port 80). It might be checked by pointing the browser to the URL you want to secure with the new certificate. In this example, point the browser to http://www.your.domain.com and verify that this produces the expected content. This also means that the DNS setup should to be in place so that names can be used instead of bare IP addresses. The webserver has to be reachable from the internet. First, create an account and a private key. The directory used in the subsequent command (/etc/uacme.d) can be freely chosen. The certificates will be stored there and the webserver must have read access to it. uacme -v -c /etc/uacme.d new Next, initiate creating a certificate for your domain uacme -v -c /etc/uacme.d issue www.your.domain.com Note that the program will stop a a specific point and waits for input to continue. This waiting is required as a file needs to be created manually according to the output of the program. Look for a line which looks like uacme: challenge=http-01 ident=www.your.domain.com token=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 key_auth=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU Create a directory and a file within that directory in the webserver's document root: mkdir /srv/www/.well-known/acme-challenge echo "kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU" \ > /srv/www/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 Both of that cryptic values can be taken from the output of the uacme program. The filename is the value of token and its content is taken from key-auth. After the file has been created, verify that the webserver has access to it by pointing your browser to http://www.your.domain.com/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4. The value of the key-auth should appear as simple text in your browser. If done and the response in the browser is ok, press 'y' + Enter and the program will continue to run. When finished, the certificate is placed in /etc/uacme.d/www.your.domain.com/cert.pem and the private key is stored in /etc/uacme.d/private/www.your.domain.com/key.pem. The well-known directory can now be deleted as its content is usable only one time so there is no use in keeping it: rm -rf /srv/www/.well-known Next steps will be to switch off the http protocol in the webserver except there are good reasons to keep it available. Configure the webserver to use the created certificate for https. Installed Programs Installed Libraries Installed Directories uacme, ualpn none /usr/share/uacme