These are scripts and configuration files to run acme-tiny unpriviledged as much as possible under systemd systems.
This is based upon upstream README, refer to it for details.
After generating or converting your account private key, store it as
/etc/acme/accountkey.pemand set permission/ownership to 440 acme:acme.
The ${domain} private key should be stored as
/etc/acme/${domain}/privkey.pemand have permission/ownership to 400 root:root, but actually acme-tiny does
not use it once the CSR is generated, so these are just general recommandations.
However the CSR must be stored as
/etc/acme/${domain}/csr.pemand be 440 acme:acme.
Note that if you want to enable OCSP Must Staple for you certificates, you can
pass -addext "tlsfeature = status_request" to the openssl req command, in
which case you might want to setup OCSP priming.
One important modification here: the files are expected to reside under
/var/lib/acme/. The folder is created by the systemd-tmpfiles config,
but you need to setup your HTTP server correctly for this path.
Here we deviate sensibly from upstream because we also setup OCSP priming for OCSP stapling (see your web server document for how to configure that).
- Get the certificate:
sudo -u acme sh -c "/usr/bin/acme-tiny --account-key /etc/acme/accountkey.pem --csr /etc/acme/${domain}/csr.pem --acme-dir /var/lib/acme/ > /etc/acme/${domain}/fullchain.pem"- Fix permissions:
sudo chown root:root /etc/acme/${domain}/fullchain.pem
sudo chmod 444 /etc/acme/${domain}/fullchain.pem- Split the cert for our needs:
FULLCHAIN=$(sudo cat /etc/acme/${domain}/fullchain.pem)
echo "${FULLCHAIN%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----" | sudo tee /etc/acme/${domain}/cert.pem
echo -e "${FULLCHAIN#*-----END CERTIFICATE-----}" | sed '/./,$!d' | sudo tee /etc/acme/${domain}/chain.pem- OCSP priming:
sudo openssl ocsp -noverify -no_nonce -respout /etc/acme/${domain}/ocsp.der -issuer /etc/acme/${domain}/chain.pem -cert /etc/acme/${domain}/cert.pem -url $(sudo openssl x509 -noout -ocsp_uri -in /etc/acme/${domain}/cert.pem)Just enable the acme.timer systemd timer.
Most server services need to be reloaded or restarted in order to take into account a renewed certificate. You can have the systemd service automatically do so by adding a drop-in override:
[Service]
ExecStartPost=/usr/bin/systemctl try-reload-or-restart <space separated list of services>For instance, an usual <space separated list of services> on a mail server
might be nginx smtpd dovecot.
Nothing to do: the files are regenerated on each service run, so twice per day, while they are actually valid for 7 days and renewed upstream every 3 days.