| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:services:tls:certs [2022/07/08 09:48] – [Self signed certs] tmomas | docs:guide-user:services:tls:certs [2023/06/07 04:58] – split articles stokito |
|---|
| * [[https://github.com/acmesh-official/acme.sh|acme.sh]] is small ACME client that uses shell script and has a LUCI app to configure. This is a recommended for OpenWrt. | * [[https://github.com/acmesh-official/acme.sh|acme.sh]] is small ACME client that uses shell script and has a LUCI app to configure. This is a recommended for OpenWrt. |
| * [[https://github.com/ndilieto/uacme|uacme]] lightweight ACME client written in plain C with minimal dependencies: libcurl and one of MbedTLS, OpenSSL or GnuTLS. | * [[https://github.com/ndilieto/uacme|uacme]] lightweight ACME client written in plain C with minimal dependencies: libcurl and one of MbedTLS, OpenSSL or GnuTLS. |
| * [[https://github.com/dehydrated-io/dehydrated|dehydrated]] a Bash script similar to acme.sh. Used rarely | * Many others [[https://letsencrypt.org/docs/client-options/|ACME Client Implementations]] |
| | |
| | If you have already taken care of certificate automation see also [[:docs:guide-user:luci:getting_rid_of_luci_https_certificate_warnings#option_ainstalling_a_publicly_trusted_certificate|Installing a publicly trusted certificate]]. |
| |
| |
| ===== ACME.sh ===== | ===== ACME.sh ===== |
| | See [[docs:guide-user:services:tls:acme|acme.sh]] |
| ==== For experienced users ==== | |
| Use a command line and type ''opkg install acme luci-app-acme'' then edit ''/etc/config/acme'' and restart it with ''service acme restart''. | |
| | |
| ==== More easier way by using GUI ==== | |
| | |
| Open LUCI dashboard then in main menu go to ''System'' / ''Software''. Then click on ''Update lists...'' to load list of available packages. | |
| The into the ''Filter'' search type ''luci-app-acme'' and press Enter. Click on install button. It should install acme.sh and its LUCI app to configure. | |
| | |
| To configure in LUCI in the main menu open ''Services'' / ''ACME certs''. | |
| Basic configuration: | |
| * ''Account email'': put your email to receive expiry notices when your certificate is coming up for renewal. | |
| * You'll see a preconfigured EXAMPLE domain. We can change it for ourselves: | |
| * ''Enabled'': Click to enable | |
| * ''Use staging server'': unselect the check | |
| * ''Use for uhttpd'': you probably better to unselect this if not sure. | |
| * ''Key size'': Select ''ECC 256 bits''. The key will be based on an elliptic curve which is more efficient than RSA. | |
| * ''Domain names'': change the example.org to your domain | |
| * Click on ''Save and Apply'' | |
| | |
| Now you'll need to wait for some time while the certificate will be generated. | |
| After that you can find the certificates in ''/etc/acme/YOURDOMAIN'' folder e.g.: | |
| * ''/etc/acme/YOURDOMAIN/YOURDOMAIN.key'' the TLS private key. Never share it! | |
| * ''/etc/acme/YOURDOMAIN/fullchain.cer'' the TLS certificate and chain of CA that signed it. | |
| | |
| You can use them in nginx, uhttpd, lighttpd, [[docs:guide-user:services:email:emailrelay|EmailRelay]] and any other server that you want to configure with TLS. | |
| |
| ===== Self signed certs ===== | ===== Self signed certs ===== |
| See [[:docs:guide-user:services:webserver:uhttpd#https_enable_and_certificate_settings_and_creation|HTTPS Enable and Certificate Settings and Creation]] | See [[:docs:guide-user:services:webserver:uhttpd#https_enable_and_certificate_settings_and_creation|HTTPS Enable and Certificate Settings and Creation]] or [[:docs:guide-user:luci:getting_rid_of_luci_https_certificate_warnings#option_bcreating_installing_trusting_a_self-signed_certificate|Getting rid of LuCI HTTPS warnings]]. |
| |
| | ===== Own Certificate Authority with PKI ===== |
| | See [[docs:guide-user:services:tls:pki|Installing and trusting a root CA certificate in a PKI]] |