1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY uacme-download-http
|
---|
8 | "https://github.com/ndilieto/uacme/archive/refs/tags/v&uacme-version;/uacme-&uacme-version;.tar.gz">
|
---|
9 | <!ENTITY uacme-download-ftp " ">
|
---|
10 | <!ENTITY uacme-md5sum "0a8ff9a73e1d8006d4eee9908ca5f035">
|
---|
11 | <!ENTITY uacme-size "250 KB">
|
---|
12 | <!ENTITY uacme-buildsize "4,2 MB">
|
---|
13 | <!ENTITY uacme-time "0.1 SBU">
|
---|
14 | ]>
|
---|
15 |
|
---|
16 | <sect1 id="uacme" xreflabel="Uacme-&uacme-version;">
|
---|
17 | <?dbhtml filename="uacme.html"?>
|
---|
18 |
|
---|
19 | <title>Uacme-&uacme-version;</title>
|
---|
20 |
|
---|
21 | <indexterm zone="uacme">
|
---|
22 | <primary sortas="u-Uacme">Uacme</primary>
|
---|
23 | </indexterm>
|
---|
24 |
|
---|
25 | <sect2 role="package">
|
---|
26 | <title>Introduction to Uacme utility</title>
|
---|
27 |
|
---|
28 | <para>
|
---|
29 | The <application>Uacme</application> package contains an easy to
|
---|
30 | use utility to manage certificates provided by <literal>LetsEncrypt</literal>.
|
---|
31 | It is an alternative to the <application>certbot</application>.
|
---|
32 | </para>
|
---|
33 |
|
---|
34 | &lfs122_checked;
|
---|
35 |
|
---|
36 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
37 | <itemizedlist spacing="compact">
|
---|
38 | <listitem>
|
---|
39 | <para>
|
---|
40 | Download (HTTP): <ulink url="&uacme-download-http;"/>
|
---|
41 | </para>
|
---|
42 | </listitem>
|
---|
43 | <listitem>
|
---|
44 | <para>
|
---|
45 | Download (FTP): <ulink url="&uacme-download-ftp;"/>
|
---|
46 | </para>
|
---|
47 | </listitem>
|
---|
48 | <listitem>
|
---|
49 | <para>
|
---|
50 | Download MD5 sum: &uacme-md5sum;
|
---|
51 | </para>
|
---|
52 | </listitem>
|
---|
53 | <listitem>
|
---|
54 | <para>
|
---|
55 | Download size: &uacme-size;
|
---|
56 | </para>
|
---|
57 | </listitem>
|
---|
58 | <listitem>
|
---|
59 | <para>
|
---|
60 | Estimated disk space required: &uacme-buildsize;
|
---|
61 | </para>
|
---|
62 | </listitem>
|
---|
63 | <listitem>
|
---|
64 | <para>
|
---|
65 | Estimated build time: &uacme-time;
|
---|
66 | </para>
|
---|
67 | </listitem>
|
---|
68 | </itemizedlist>
|
---|
69 | <!--
|
---|
70 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
71 | <itemizedlist spacing="compact">
|
---|
72 | <listitem>
|
---|
73 | <para>
|
---|
74 | Required patch:
|
---|
75 | <ulink url="&patch-root;/uacme-&uacme-version;-blfs_layout-1.patch"/>
|
---|
76 | </para>
|
---|
77 | </listitem>
|
---|
78 | </itemizedlist>
|
---|
79 | -->
|
---|
80 | <bridgehead renderas="sect3">Uacme Dependencies</bridgehead>
|
---|
81 |
|
---|
82 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
83 | <para role="required">
|
---|
84 | <xref linkend="curl"/>,
|
---|
85 | <xref linkend="gnutls"/> and
|
---|
86 | <xref linkend="apache"/> (runtime)
|
---|
87 | </para>
|
---|
88 | <!--
|
---|
89 | <bridgehead renderas="sect4">Recommended</bridgehead>
|
---|
90 | <para role="recommended">
|
---|
91 | <xref linkend="openssl"/>
|
---|
92 | </para>
|
---|
93 |
|
---|
94 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
95 | <para role="optional">
|
---|
96 | <xref linkend="brotli"/>,
|
---|
97 | <xref linkend="db"/>,
|
---|
98 | <xref linkend="doxygen"/>,
|
---|
99 | <xref linkend="libxml2"/>,
|
---|
100 | <xref linkend="lua"/>,
|
---|
101 | <xref linkend="lynx"/> or
|
---|
102 | <xref linkend="Links"/> or
|
---|
103 | <ulink url="&elinks-url;">ELinks</ulink>,
|
---|
104 | <xref linkend="nghttp2"/>,
|
---|
105 | <xref linkend="openldap"/> (<xref linkend="apr-util"/> needs to be
|
---|
106 | installed with ldap support),
|
---|
107 | <xref linkend="rsync"/>, and
|
---|
108 | <ulink url="https://sourceforge.net/projects/distcache">Distcache</ulink>
|
---|
109 | </para>
|
---|
110 | -->
|
---|
111 | <!--
|
---|
112 | <para condition="html" role="usernotes">
|
---|
113 | User Notes: <ulink url="&blfs-wiki;/uacme"/>
|
---|
114 | </para>
|
---|
115 | -->
|
---|
116 | </sect2>
|
---|
117 |
|
---|
118 | <sect2 role="installation">
|
---|
119 | <title>Installation of Uacme utility</title>
|
---|
120 |
|
---|
121 | <para>
|
---|
122 | First, fix a hard coded path to match the defaut settings of
|
---|
123 | the BLFS httpd installation:
|
---|
124 | </para>
|
---|
125 | <screen><userinput>sed -e "s;/var/www/;/srv/www/;" -i uacme.sh</userinput></screen>
|
---|
126 |
|
---|
127 | <para>
|
---|
128 | Build and install <application>Uacme</application> by running the
|
---|
129 | following commands:
|
---|
130 | </para>
|
---|
131 |
|
---|
132 | <screen><userinput>autoreconf &&
|
---|
133 | ./configure --prefix=/usr \
|
---|
134 | --disable-docs &&
|
---|
135 | make</userinput></screen>
|
---|
136 |
|
---|
137 | <para>
|
---|
138 | This package does not come with a test suite.
|
---|
139 | </para>
|
---|
140 |
|
---|
141 | <para>
|
---|
142 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
143 | </para>
|
---|
144 |
|
---|
145 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
146 |
|
---|
147 | </sect2>
|
---|
148 |
|
---|
149 | <sect2 role="commands">
|
---|
150 | <title>Command Explanations</title>
|
---|
151 |
|
---|
152 | <para>
|
---|
153 | <parameter>--disable-docs</parameter>: No rebuild of docs.
|
---|
154 | </para>
|
---|
155 |
|
---|
156 | </sect2>
|
---|
157 |
|
---|
158 | <sect2 role="configuration">
|
---|
159 | <title>Using Uacme</title>
|
---|
160 |
|
---|
161 | <note>
|
---|
162 | <para>
|
---|
163 | Make sure that your webserver works fine on http (port 80). It
|
---|
164 | might be checked by pointing the browser to the URL you want to
|
---|
165 | secure with the new certificate. In this example,
|
---|
166 | point the browser to http://www.your.domain.com and verify that
|
---|
167 | this produces the expected content.
|
---|
168 | </para>
|
---|
169 | <para>
|
---|
170 | This also means that the DNS setup should to be in place so
|
---|
171 | that names can be used instead of bare IP addresses. The
|
---|
172 | webserver has to be reachable from the internet.
|
---|
173 | </para>
|
---|
174 | </note>
|
---|
175 |
|
---|
176 | <para>
|
---|
177 | First, create an account and a private key. The directory
|
---|
178 | used in the subsequent command (<filename class="directory">/etc/uacme.d</filename>)
|
---|
179 | can be freely chosen. The certificates will be stored there
|
---|
180 | and the webserver must have read access to it.
|
---|
181 | </para>
|
---|
182 |
|
---|
183 | <screen><userinput role="nodump">uacme -v -c /etc/uacme.d new</userinput></screen>
|
---|
184 |
|
---|
185 | <para>
|
---|
186 | Next, initiate creating a certificate for your domain
|
---|
187 | </para>
|
---|
188 |
|
---|
189 | <screen><userinput role="nodump">uacme -v -c /etc/uacme.d issue www.your.domain.com</userinput></screen>
|
---|
190 |
|
---|
191 | <para>
|
---|
192 | Note that the program will stop a a specific point and waits
|
---|
193 | for input to continue. This waiting is required as a file
|
---|
194 | needs to be created manually according to the output of the
|
---|
195 | program. Look for a line which looks like
|
---|
196 | </para>
|
---|
197 |
|
---|
198 | <screen>uacme: challenge=http-01 ident=www.your.domain.com token=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 key_auth=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU</screen>
|
---|
199 |
|
---|
200 | <para>
|
---|
201 | Create a directory and a file within that directory in the
|
---|
202 | webserver's document root:
|
---|
203 | </para>
|
---|
204 |
|
---|
205 | <screen><userinput role="nodump">mkdir /srv/www/.well-known/acme-challenge
|
---|
206 | echo "kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU" \
|
---|
207 | > /srv/www/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4</userinput></screen>
|
---|
208 |
|
---|
209 | <para>
|
---|
210 | Both of that cryptic values can be taken from the output of
|
---|
211 | the <application>uacme</application> program. The filename is
|
---|
212 | the value of <emphasis>token</emphasis> and its content is
|
---|
213 | taken from <emphasis>key-auth</emphasis>.
|
---|
214 | </para>
|
---|
215 | <para>
|
---|
216 | After the file has been created, verify that the webserver has
|
---|
217 | access to it by pointing your browser to
|
---|
218 | <literal>http://www.your.domain.com/.well-known/acme-challenge/kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4</literal>.
|
---|
219 | The value of the <emphasis>key-auth</emphasis> should appear as
|
---|
220 | simple text in your browser.
|
---|
221 | </para>
|
---|
222 | <para>
|
---|
223 | If done and the response in the browser is ok, press 'y' + Enter
|
---|
224 | and the program will continue to run. When finished, the
|
---|
225 | certificate is placed in
|
---|
226 | <filename class="directory">/etc/uacme.d/www.your.domain.com/cert.pem</filename> and
|
---|
227 | the private key is stored in
|
---|
228 | <filename class="directory">/etc/uacme.d/private/www.your.domain.com/key.pem</filename>.
|
---|
229 | The well-known directory can now be deleted as its content is
|
---|
230 | usable only one time so there is no use in keeping it:
|
---|
231 | </para>
|
---|
232 |
|
---|
233 | <screen><userinput role="nodump">rm -rf /srv/www/.well-known</userinput></screen>
|
---|
234 |
|
---|
235 | <para>
|
---|
236 | Next steps will be to switch off the http protocol in the
|
---|
237 | webserver except there are good reasons to keep it available.
|
---|
238 | Configure the webserver to use the created certificate
|
---|
239 | for https.
|
---|
240 | </para>
|
---|
241 |
|
---|
242 | </sect2>
|
---|
243 |
|
---|
244 | <sect2 role="content">
|
---|
245 | <title>Contents</title>
|
---|
246 |
|
---|
247 | <segmentedlist>
|
---|
248 | <segtitle>Installed Programs</segtitle>
|
---|
249 | <segtitle>Installed Libraries</segtitle>
|
---|
250 | <segtitle>Installed Directories</segtitle>
|
---|
251 |
|
---|
252 | <seglistitem>
|
---|
253 | <seg>
|
---|
254 | uacme, ualpn
|
---|
255 | </seg>
|
---|
256 | <seg>
|
---|
257 | none
|
---|
258 | </seg>
|
---|
259 | <seg>
|
---|
260 | /usr/share/uacme
|
---|
261 | </seg>
|
---|
262 | </seglistitem>
|
---|
263 | </segmentedlist>
|
---|
264 | <!--
|
---|
265 | <variablelist>
|
---|
266 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
267 | <?dbfo list-presentation="list"?>
|
---|
268 | <?dbhtml list-presentation="table"?>
|
---|
269 |
|
---|
270 | <varlistentry id="uacme">
|
---|
271 | <term><command>uacme</command></term>
|
---|
272 | <listitem>
|
---|
273 | <para>
|
---|
274 | is a tool for building and installing extension modules for the
|
---|
275 | <application>Apache</application> HTTP server
|
---|
276 | </para>
|
---|
277 | <indexterm zone="uacme uacme">
|
---|
278 | <primary sortas="b-uacme">uacme</primary>
|
---|
279 | </indexterm>
|
---|
280 | </listitem>
|
---|
281 | </varlistentry>
|
---|
282 |
|
---|
283 | <varlistentry id="ualpn">
|
---|
284 | <term><command>ualpn</command></term>
|
---|
285 | <listitem>
|
---|
286 | <para>
|
---|
287 | is a tool for building and installing extension modules for the
|
---|
288 | <application>Apache</application> HTTP server
|
---|
289 | </para>
|
---|
290 | <indexterm zone="ualpn ualpn">
|
---|
291 | <primary sortas="b-ualpn">ualpn</primary>
|
---|
292 | </indexterm>
|
---|
293 | </listitem>
|
---|
294 | </varlistentry>
|
---|
295 | </variablelist>
|
---|
296 | -->
|
---|
297 | </sect2>
|
---|
298 |
|
---|
299 | </sect1>
|
---|