cleanup documentation and suppress some remote messages.

This commit is contained in:
David Kerr 2017-02-12 11:17:23 -05:00
parent 0a7a1b9bfb
commit 3a77a6eded
2 changed files with 87 additions and 39 deletions

View File

@ -38,23 +38,21 @@ values are stored by acme.sh in the domain configuration files.
Required... Required...
```bash ```bash
export ACME_DEPLOY_SSH_USER="admin" export ACME_DEPLOY_SSH_USER=username
``` ```
Optional... Optional...
```bash ```bash
export ACME_DEPLOY_SSH_CMD="" export ACME_DEPLOY_SSH_CMD=custom ssh command
export ACME_DEPLOY_SSH_SERVER="qnap" export ACME_DEPLOY_SSH_SERVER=url or ip address of remote host
export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem" export ACME_DEPLOY_SSH_KEYFILE=filename for private key
export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem" export ACME_DEPLOY_SSH_CERTFILE=filename for certificate file
export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem" export ACME_DEPLOY_SSH_CAFILE=filename for intermediate CA file
export ACME_DEPLOY_SSH_FULLCHAIN="" export ACME_DEPLOY_SSH_FULLCHAIN=filename forfullchain file
export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart" export ACME_DEPLOY_SSH_REMOTE_CMD=command to execute on remote host
export ACME_DEPLOY_SSH_BACKUP="" export ACME_DEPLOY_SSH_BACKUP=yes or no
``` ```
The values used above are illustrative only and represent those that could
be used to deploy certificates to a QNAP NAS device running QTS 4.2
###ACME_DEPLOY_SSH_USER **ACME_DEPLOY_SSH_USER**
Username at the remote host that SSH will login with. Note that Username at the remote host that SSH will login with. Note that
SSH must be able to login to remote host without a password... SSH Keys SSH must be able to login to remote host without a password... SSH Keys
must have been exchanged with the remote host. Validate and test that you must have been exchanged with the remote host. Validate and test that you
@ -63,32 +61,42 @@ can login to USER@URL from the host running acme.sh before using this script.
The USER@URL at the remote server must also have has permissions to write to The USER@URL at the remote server must also have has permissions to write to
the target location of the certificate files and to execute any commands the target location of the certificate files and to execute any commands
(e.g. to stop/start services). (e.g. to stop/start services).
###ACME_DEPLOY_SSH_CMD
**ACME_DEPLOY_SSH_CMD**
You can customize the ssh command used to connect to the remote host. For example You can customize the ssh command used to connect to the remote host. For example
if you need to connect to a specific port at the remote server you can set this if you need to connect to a specific port at the remote server you can set this
to, for example, "ssh -p 22" to, for example, "ssh -p 22" or to use `sshpass` to provide password inline
###ACME_DEPLOY_SSH_SERVER instead of exchanging ssh keys (this is not recommended, using keys is
more secure).
**ACME_DEPLOY_SSH_SERVER**
URL or IP Address of the remote server. If not provided then the domain URL or IP Address of the remote server. If not provided then the domain
name provided on the acme.sh --deploy command line is used. name provided on the acme.sh --deploy command line is used.
###ACME_DEPLOY_SSH_KEYFILE
**ACME_DEPLOY_SSH_KEYFILE**
Target filename for the private key issued by LetsEncrypt. Target filename for the private key issued by LetsEncrypt.
###ACME_DEPLOY_SSH_CERTFILE
Target filename for the certificate issued by LetsEncrypt. If this filename **ACME_DEPLOY_SSH_CERTFILE**
is the same as that provided for ACME_DEPLOY_SSH_KEYFILE then this certificate Target filename for the certificate issued by LetsEncrypt.
is appended to the same file as the private key. If this is the same as the previous filename (for keyfile) then it is
###ACME_DEPLOY_SSH_CAFILE appended to the same file.
**ACME_DEPLOY_SSH_CAFILE**
Target filename for the CA intermediate certificate issued by LetsEncrypt. Target filename for the CA intermediate certificate issued by LetsEncrypt.
If this is the same as a previous filename then it is appended to the same If this is the same as a previous filename (for keyfile or certfile) then
file it is appended to the same file.
###ACME_DEPLOY_SSH_FULLCHAIN
**ACME_DEPLOY_SSH_FULLCHAIN**
Target filename for the fullchain certificate issued by LetsEncrypt. Target filename for the fullchain certificate issued by LetsEncrypt.
If this is the same as a previous filename then it is appended to the same If this is the same as a previous filename (for keyfile, certfile or
file cafile) then it is appended to the same file.
###ACME_DEPLOY_SSH_REMOTE_CMD
**ACME_DEPLOY_SSH_REMOTE_CMD**
Command to execute on the remote server after copying any certificates. This Command to execute on the remote server after copying any certificates. This
could be any additional command required for example to stop and restart could be any additional command required for example to stop and restart
the service. the service.
###ACME_DEPLOY_SSH_BACKUP
**ACME_DEPLOY_SSH_BACKUP**
Before writing a certificate file to the remote server the existing Before writing a certificate file to the remote server the existing
certificate will be copied to a backup directory on the remote server. certificate will be copied to a backup directory on the remote server.
These are placed in a hidden directory in the home directory of the SSH These are placed in a hidden directory in the home directory of the SSH
@ -98,3 +106,43 @@ user
``` ```
Any backups older than 180 days will be deleted when new certificates Any backups older than 180 days will be deleted when new certificates
are deployed. This defaults to "yes" set to "no" to disable backup. are deployed. This defaults to "yes" set to "no" to disable backup.
###Eamples using SSH deploy
The following example illustrates deploying certifcates to a QNAP NAS
running QTS 4.2
```bash
export ACME_DEPLOY_SSH_USER="admin"
export ACME_DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
export ACME_DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
export ACME_DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
export ACME_DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
acme.sh --deploy -d qnap.example.com --deploy-hook ssh
```
The next example illustates deploying certificates to a Unifi
Contolller (tested with version 5.4.11).
```bash
export ACME_DEPLOY_SSH_USER="root"
export ACME_DEPLOY_SSH_KEYFILE="/var/lib/unifi/unifi.example.com.key"
export ACME_DEPLOY_SSH_FULLCHAIN="/var/lib/unifi/unifi.example.com.cer"
export ACME_DEPLOY_SSH_REMOTE_CMD="openssl pkcs12 -export \
-inkey /var/lib/unifi/unifi.example.com.key \
-in /var/lib/unifi/unifi.example.com.cer \
-out /var/lib/unifi/unifi.example.com.p12 \
-name ubnt -password pass:temppass \
&& keytool -importkeystore -deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore \
-srckeystore /var/lib/unifi/unifi.example.com.p12 \
-srcstoretype PKCS12 -srcstorepass temppass -alias ubnt -noprompt \
&& service unifi restart"
acme.sh --deploy -d qnap.example.com --deploy-hook ssh
```
Note how in this exmple we execute several commands on the remote host
after the certificate files have been copied... to generate a pkcs12 file
compatible with Unifi, to import it into the Unifi keystore and then finaly
to restart the service.

View File

@ -93,7 +93,7 @@ ssh_deploy() {
if [ -n "$Le_Deploy_ssh_keyfile" ]; then if [ -n "$Le_Deploy_ssh_keyfile" ]; then
if [ "$Le_Deploy_ssh_backup" = "yes" ]; then if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;"
fi fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;" _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;"
@ -113,7 +113,7 @@ ssh_deploy() {
_pipe=">>" _pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;"
fi fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;" _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;"
@ -134,7 +134,7 @@ ssh_deploy() {
_pipe=">>" _pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;"
fi fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;" _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;"
@ -156,7 +156,7 @@ ssh_deploy() {
_pipe=">>" _pipe=">>"
elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
# backup file we are about to overwrite. # backup file we are about to overwrite.
_cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir ;" _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;"
fi fi
# copy new certificate into file. # copy new certificate into file.
_cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;" _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;"