Following up on previous notes on setting up Let’s Encrypt for private networks and SSL for DD-WRT routers, here’s notes on automating renewal of Let’s Encrypt certificates using acme.sh.
I use Hurricane Electric’s free DNS service for delegating DNS management for the the private subdomains – DNS resolution is handled externally, but certificates are provisioned on the private network. You can find other free DNS providers on the Let’s Encrypt community page.
If you don’t want to make your private subdomain public, you can create a dummy.domain.ext, for example, and fetch wildcard certificates instead. If you are willing to open port 53 on your router and port forward, here’s another alternative. Open to more suggestions, please post them in the comments.
Setup Instructions
- Prerequistites are a DD-WRT router with exeternal USB storage support. My notes on the setup are here and here.
- First, delegate your subdomain’s public DNS resolution to https://dns.he.net by setting up
NSrecords forsubdomain.domain.extto point tons[1-5].he.net, then add the subdomain to https://dns.he.net via ‘Add a new domain’ page on the ‘Zone Functions’ menu. - Then, download https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh, give it execute permissions:
chmod +x ./acme.sh. - Next, run the following by adjusting the variables as appropriate.
export HE_Username=""
export HE_Password=""
./acme.sh --install \
--home /jffs/etc/acme.sh/ \
--config-home /jffs/etc/acme.sh/data \
--cert-home /jffs/etc/acme.sh/certs \
--accountemail "email@domain.ext" \
--useragent "DD-WRT acme.sh" --force
- Then copy the corresponding
dns_<provider>.shfrom https://github.com/acmesh-official/acme.sh/tree/master/dnsapi to/jffs/etc/acme.sh/dnsapi/. - Test issuing a new cert:
# /jffs/etc/acme.sh/acme.sh --issue --dns dns_he -d subdomain.domain.ext --config-home /jffs/etc/acme.sh/data 2>&1 >> /jffs/etc/acme.sh/logs/log.txt --staging --force - Revoke the test cert
# /jffs/etc/acme.sh/acme.sh --revoke -d subdomain.domain.ext --revoke-reason 4 --config-home /jffs/etc/acme.sh/data/ --staging - Issue a production certificate by running the issue command above without
--stagingoption. - Setup cron. Remember to prefix the cron command with
rootas pointed out here.
# Every day at 3 AM: https://crontab.guru/#0_3_*_*_*
0 3 * * * root /jffs/etc/acme.sh/acme.sh --renew --dns dns_he -d subdomain.domain.ext --config-home /jffs/etc/acme.sh/data >> /jffs/etc/acme.sh/logs/log.txt # --staging --force
References
- https://github.com/acmesh-official/acme.sh/wiki/How-to-install
- https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438
|
Original design for Tumblr crafted by Prashanth Kamalakanthan. Adapted for Tumblr & Jekyll by Sai Charan. Customized theme available on Github. Sai Charan's blog by Sai Charan is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. |
|