mirrors/acme2certifier
1
0
Fork 0
mirror of https://github.com/grindsa/acme2certifier.git synced 2025-12-31 01:51:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
Page: <! wiki title: Installation on NGINX Running on Alma Linux 9
Pages
# How to build an acme2certifier cluster on Ubuntu 22.04 <! wiki title: DEB Installation on Ubuntu 22.04 <! wiki title: External Account Binding <! wiki title: Hooks <! wiki title: Installation on Apache2 Running on Ubuntu 22.04 <! wiki title: Installation on NGINX Running on Alma Linux 9 <! wiki title: Pass Information from ACME Client to CA Handler <! wiki title: Reporting and Housekeeping <! wiki title: Support for ACME profiling <! wiki title: Support for External Databases ACME CA handler Asynchronous Mode (`async_mode`) in acme2certifier CA Handler for Microsoft Certification Authority Web Enrollment Service CA Handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA Handler for NetGuard Certificate Lifecycle Manager CA Handler for OpenXPKI CA Handler for XCA CA Handler for an OpenSSL based CA Stored on Local File System CA Polling to Check Pending Enrollment Requests CA Trigger CA handler for Digicert CertCentral CA handler for EJBCA CA handler for Entrust ECS Enterprise CA handler for Insta ActiveCMS CA handler for Insta CA handler for Microsoft Certification Authority Web Enrollment Service CA handler for Microsoft Windows Client Certificate Enrollment Protocol (MS WCCE) CA handler for NetGuard Certificate Lifecycle Manager CA handler for NetGuard Certificate Manager and Insta Certifier CA handler for OpenXPKI CA handler for XCA CA handler for an openssl based CA stored on local file system CA handler using CMPv2 protocol CA handler using EST protocol CA polling to check pending enrollment requests CA trigger CA‐handler for Hashicorp Vault PKI Configuration options for acme2certifier Containerized Installation Using Apache2 or Nginx as Web Server with WSGI or Django Containerized installation DEB installation on Ubuntu 22.04 Database scheme Enrollment of End User Certificates according to RFC8823 Enrollment profiling via external account binding Example commands for acme clients External Account Binding (EAB) External Account Binding Home Hooks support Hooks How to Create Your Own CA Handler How to build am acme2certifier cluster on Ubuntu 22.04 How to build an acme2certifier cluster on Alma Linux 9 How to build an acme2certifier cluster on Ubuntu 22.04 How to contribute to this project How to create your own CA Handler Installation on Apache2 Running on Ubuntu 22.04 Installation on NGINX Running on Alma Linux 9 Installation on Nginx Running on Ubuntu 22.04 Installation on nginx running on Ubuntu 22.04 Pass Information from ACME Client to CA Handler Prevalidated Domain List Feature for ACME Authorization Proxy Support in acme2certifier Proxy support in acme2certifier RPM Installation on AlmaLinux 9 RPM installation on Alma Linux 9 RPM installation on alma Linux 9 Reporting and Housekeeping support SOAP CA Handler Prototype SOAP CA handler protopype Security Policy Support for ACME profiling Support for External Databases Support for TNAuthList Identifier and tkauth 01 Challenges Support for TNAuthList identifier and tkauth 01 challenges Upgrading acme2certifier Using cert manager to enroll certificate in Kubernetes environments acme_srv.cfg configuration options upgrading acme2certifier vault
<! wiki title: Installation on NGINX Running on Alma Linux 9
grindsa edited this page 2025-12-30 06:22:30 +00:00
Table of Contents

Installation on NGINX Running on Alma Linux 9

The setup is designed so that uWSGI serves acme2certifier, while NGINX acts as a reverse proxy for better connection handling.

A ready-made shell script performing the tasks below can be found in the examples/install_scripts directory.

1. Download and Extract the Archive

cd /tmp
curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
tar xvfz a2c-master.tgz
cd /tmp/acme2certifier-master

2. Install Required Packages

sudo yum install -y epel-release
sudo yum update -y
sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils

3. Set Up the Project Directory

sudo mkdir /opt/acme2certifier

4. Install Required Python Modules

sudo pip install -r /opt/acme2certifier/requirements.txt

5. Configure acme2certifier

  1. Create a configuration file acme_srv.cfg in /opt/acme2certifier/acme_srv/, or use the example stored in the examples directory.
  2. Modify the configuration file according to your needs.
  3. Set the handler_file parameter in acme_srv.cfg, or copy the appropriate CA handler from /opt/acme2certifier/examples/ca_handler/ to /opt/acme2certifier/acme_srv/ca_handler.py.
  4. Configure the connection to your CA server. Example for Insta Certifier.

6. Activate the WSGI Database Handler

sudo cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py

7. Copy the WSGI Application File

sudo cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/

8. Set Correct Permissions

sudo chmod a+x /opt/acme2certifier/acme_srv
sudo chown -R nginx /opt/acme2certifier/acme_srv

9. Test acme2certifier by Starting the Application

cd /opt/acme2certifier
sudo uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py

10. Verify Directory Access

Run the following command in a parallel session to confirm that everything is working:

curl http://127.0.0.1:8000/directory

Expected response:

{
  "newAccount": "http://127.0.0.1:8000/acme_srv/newaccount",
  "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "http://127.0.0.1:8000/acme_srv/key-change",
  "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce",
  "meta": {
    "home": "https://github.com/grindsa/acme2certifier",
    "author": "grindsa <grindelsack@gmail.com>"
  },
  "newOrder": "http://127.0.0.1:8000/acme_srv/neworders",
  "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"
}

11. Set Up uWSGI

  1. Create a uWSGI configuration file, or use the one stored in examples/nginx:
sudo cp examples/nginx/acme2certifier.ini /opt/acme2certifier
  1. Enable the Python3 module in the uWSGI configuration file:
echo "plugins = python3" | sudo tee -a examples/nginx/acme2certifier.ini
  1. Create a Systemd Unit File for uWSGI, or use the one in examples/nginx:
sudo cp examples/nginx/uwsgi.service /etc/systemd/system/
sudo systemctl enable uwsgi.service
  1. Start uWSGI as a service:
sudo systemctl start uwsgi

12. Configure NGINX as a Reverse Proxy

  1. Use the example stored in examples/nginx and modify it as needed:
sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
  1. Restart NGINX:
sudo systemctl restart nginx

13. Adapt SELinux Configuration

Apply a customized policy to allow NGINX to communicate with uWSGI over Unix sockets:

sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
sudo semodule -i acme2certifier.pp

14. Test the Server

curl http://<your-server-name>/directory

The above command may result in an error if the SELinux configuration still needs adjustment.