Hallo,

Am 19.02.2018 um 21:38 schrieb Mike Slinn:
> Any help would be appreciated.
> https://serverfault.com/questions/897909/pound-letsencrypt-for-play-framework-aws-cloudfront

Okay, I feed him there :-( But the "solution" is worst for many reasons
(request external DNS servers from the pound host, make unsecured DNS
updates, does not have an eye on connection problems...) If do you want
use Pound with Letsencrypt certificates there is an other solution that
works well with the certificate updates and more over works with
different domain as well. We have about 800 on any of our pound servers
;-) To get the certificates I suggest EFF’s "official" certbot you can
get from https://github.com/certbot/certbot

1.) setup a small webserver on localhost that is listen on any free port
(e.g. 127.0.0.1:666)

2.) configure as one of the first matching rules in pound

Service "letsencrypt"
    HeadRequire "Host: .*"
    URL "/.well-known/acme-challenge/.*"
    BackEnd
        Address 127.0.0.1
        Port 666
    End
End

3.) create a directory

$DOCUMENT_ROOT/.well-known/acme-challenge/

that is writable for the user that will do the next step

4.) run

certbot-auto certonly --email supp...@example.com \
-d www.example.com -d example.com --agree-tos \
--webroot --webroot-path /var/www/html/

("/var/www/html/" should be the Documet_root)

You will get the first key/cert for the domains usually in

/etc/letsencrypt/

There will be new directories created with the domain that was provided
with the first -d argument.

5.) make the pem-file that can be used with pound

cp /etc/letsencrypt/live/www.example.com/privkey.pem \
/etc/pound/www.example.com.pem

cat /etc/letsencrypt/live/www.example.com/fullchain.pem >> \
/etc/pound/www.example.com.pem

6.) add the new certificat in pound as usual with
 Cert "/etc/pound/www.example.com.pem"


Because Letsencryt certificated are only valid for 3 month you should
setup a daily cronjob that does the renew. We do this with

certbot-auto renew --post-hook "/etc/init.d/pound restart"
# or however you force pound to reload the certs
# please notice, that this is a "post-hook" so you will
# load the certs that are renewed with the last run!

for i in `ls /etc/letsencrypt/live/` ; do \
cp /etc/letsencrypt/live/$i/privkey.pem /etc/pound/$i.pem ; \
cat /etc/letsencrypt/live/$i/fullchain.pem >> /etc/pound/$i.pem ; \
done


HTH

gruss
ritze

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.

Reply via email to