Hallo, Am 19.02.2018 um 21:38 schrieb Mike Slinn: > Any help would be appreciated. > https://serverfault.com/questions/897909/pound-letsencrypt-for-play-framework-aws-cloudfront
Okay, I feed him there :-( But the "solution" is worst for many reasons (request external DNS servers from the pound host, make unsecured DNS updates, does not have an eye on connection problems...) If do you want use Pound with Letsencrypt certificates there is an other solution that works well with the certificate updates and more over works with different domain as well. We have about 800 on any of our pound servers ;-) To get the certificates I suggest EFF’s "official" certbot you can get from https://github.com/certbot/certbot 1.) setup a small webserver on localhost that is listen on any free port (e.g. 127.0.0.1:666) 2.) configure as one of the first matching rules in pound Service "letsencrypt" HeadRequire "Host: .*" URL "/.well-known/acme-challenge/.*" BackEnd Address 127.0.0.1 Port 666 End End 3.) create a directory $DOCUMENT_ROOT/.well-known/acme-challenge/ that is writable for the user that will do the next step 4.) run certbot-auto certonly --email supp...@example.com \ -d www.example.com -d example.com --agree-tos \ --webroot --webroot-path /var/www/html/ ("/var/www/html/" should be the Documet_root) You will get the first key/cert for the domains usually in /etc/letsencrypt/ There will be new directories created with the domain that was provided with the first -d argument. 5.) make the pem-file that can be used with pound cp /etc/letsencrypt/live/www.example.com/privkey.pem \ /etc/pound/www.example.com.pem cat /etc/letsencrypt/live/www.example.com/fullchain.pem >> \ /etc/pound/www.example.com.pem 6.) add the new certificat in pound as usual with Cert "/etc/pound/www.example.com.pem" Because Letsencryt certificated are only valid for 3 month you should setup a daily cronjob that does the renew. We do this with certbot-auto renew --post-hook "/etc/init.d/pound restart" # or however you force pound to reload the certs # please notice, that this is a "post-hook" so you will # load the certs that are renewed with the last run! for i in `ls /etc/letsencrypt/live/` ; do \ cp /etc/letsencrypt/live/$i/privkey.pem /etc/pound/$i.pem ; \ cat /etc/letsencrypt/live/$i/fullchain.pem >> /etc/pound/$i.pem ; \ done HTH gruss ritze -- To unsubscribe send an email with subject unsubscribe to email@example.com. Please contact ro...@apsis.ch for questions.