public_git
/
pikvm
mirror of https://github.com/pikvm/pikvm.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Docs - Let's Encrypt - Add ACME DNS Example (#851) 

* Add acme-dns-client instructions

* Added acmedns example

* Updated to bring indentation back for note

* Fixed spelling and formatting error
This commit is contained in:
Jeremy Combs 2022-11-13 09:22:21 -05:00 committed by GitHub
parent be8cd4c800
commit 1b5bce6b5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 150 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
docs/letsencrypt.md
View File

@ -9,10 +9,10 @@ file system, special tools around Certbot are required to work with certificates
This feature is available on images as old as 2022.06.19 since it requires [PST storage partition on SD card](pst.md). This feature is available on images as old as 2022.06.19 since it requires [PST storage partition on SD card](pst.md).
Ports 80+443 need to be opened if you are port forwarding for this to work properly. Ports 80+443 need to be opened if you are port forwarding for this to work properly.
## Basic setup ## Basic setup
1. Update the OS and make sure that you are using a new image with [PST storage](pst.md). 1. Update the OS and make sure that you are using a new image with [PST storage](pst.md).
``` ```
# rw # rw
# pacman -Syu # pacman -Syu
@ -20,15 +20,18 @@ file system, special tools around Certbot are required to work with certificates
... ...
# kvmd-pstrun -- true # kvmd-pstrun -- true
``` ```
If the storage is not available, you need to [reflash the OS image](flashing_os.md) to the latest one from our official website. If the storage is not available, you need to [reflash the OS image](flashing_os.md) to the latest one from our official website.
2. Switch filesystem to RW and obtain the certificate (for example, `pikvm.example.com`. The method depends on the network configuration. In the simplest case, if PiKVM is open for access from the Internet, it is recommended to use the webroot. Another examples will be described below. 2. Switch filesystem to RW and obtain the certificate (for example, `pikvm.example.com`. The method depends on the network configuration. In the simplest case, if PiKVM is open for access from the Internet, it is recommended to use the webroot. Another examples will be described below.
``` ```
# rw # rw
# kvmd-certbot certonly_webroot --agree-tos -n --email user@example.com -d pikvm.example.com # kvmd-certbot certonly_webroot --agree-tos -n --email user@example.com -d pikvm.example.com
``` ```
3. Install the certificate for KVMD-Nginx and (optionally) [KVMD-VNC](vnc.md). Running services will be restarted/reloaded automatically. Switch filesystem to RO. 3. Install the certificate for KVMD-Nginx and (optionally) [KVMD-VNC](vnc.md). Running services will be restarted/reloaded automatically. Switch filesystem to RO.
``` ```
# kvmd-certbot install_nginx pikvm.example.com # kvmd-certbot install_nginx pikvm.example.com
# kvmd-certbot install_vnc pikvm.example.com # kvmd-certbot install_vnc pikvm.example.com
@ -36,6 +39,7 @@ file system, special tools around Certbot are required to work with certificates
``` ```
4. Check the renewal immediately, just for testing: 4. Check the renewal immediately, just for testing:
``` ```
# kvmd-certbot renew --force-renewal # kvmd-certbot renew --force-renewal
``` ```
@ -50,12 +54,14 @@ file system, special tools around Certbot are required to work with certificates
This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use Cloudflare DNS. This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use Cloudflare DNS.
1. Switch filesystem to RW and install the Cloudflare DNS plugin: 1. Switch filesystem to RW and install the Cloudflare DNS plugin:
``` ```
# rw # rw
# pacman -Syu certbot-dns-cloudflare # pacman -Syu certbot-dns-cloudflare
``` ```
2. Prepare the environment for the DNS plugin (place the auth data): 2. Prepare the environment for the DNS plugin (place the auth data):
``` ```
# kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot # kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
# kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth # kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth
@ -63,6 +69,7 @@ This example shows that PiKVM may not be accessible from the internet, but you c
``` ```
3. Obtain the certificate: 3. Obtain the certificate:
``` ```
# kvmd-certbot certonly \ # kvmd-certbot certonly \
--dns-cloudflare \ --dns-cloudflare \
@ -76,12 +83,12 @@ This example shows that PiKVM may not be accessible from the internet, but you c
4. Next follow the basic guide. 4. Next follow the basic guide.
## Route53 DNS ## Route53 DNS
This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater. This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater.
1. Switch filesystem to RW and install the Route53 DNS plugin: 1. Switch filesystem to RW and install the Route53 DNS plugin:
``` ```
# rw # rw
# pacman -Syu certbot-dns-route53 # pacman -Syu certbot-dns-route53
@ -102,26 +109,18 @@ This example shows that PiKVM may not be accessible from the internet, but you c
"Statement": [ "Statement": [
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": ["route53:ListHostedZones", "route53:GetChange"],
"route53:ListHostedZones", "Resource": ["*"]
"route53:GetChange"
],
"Resource": [
"*"
]
}, },
{ {
"Effect" : "Allow", "Effect": "Allow",
"Action" : [ "Action": ["route53:ChangeResourceRecordSets"],
"route53:ChangeResourceRecordSets" "Resource": ["arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"]
],
"Resource" : [
"arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
]
} }
] ]
} }
``` ```
Make sure you replace YOURHOSTEDZONEID with the instance ID of your hosted zone. Make sure you replace YOURHOSTEDZONEID with the instance ID of your hosted zone.
Once the user is created dont forget to download and save your access key and secret access key (somewhere secure, these are as sensitive as your passwords). Once the user is created dont forget to download and save your access key and secret access key (somewhere secure, these are as sensitive as your passwords).
@ -129,14 +128,17 @@ This example shows that PiKVM may not be accessible from the internet, but you c
3. Setup credentials: 3. Setup credentials:
We now need to put the AWS credentials on the PiKVM so the certbot can use them. We now need to put the AWS credentials on the PiKVM so the certbot can use them.
``` ```
kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
``` ```
Copy and paste your AWS credentials into the nano editor and save the file. Copy and paste your AWS credentials into the nano editor and save the file.
``` ```
# kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth # kvmd-pstrun -- nano /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
``` ```
Here is an example .route53.auth file. Replace the placeholders with the access key and secret access key that you just saved from AWS and fill them in. Here is an example .route53.auth file. Replace the placeholders with the access key and secret access key that you just saved from AWS and fill them in.
```ini ```ini
@ -146,11 +148,13 @@ This example shows that PiKVM may not be accessible from the internet, but you c
``` ```
Update permissions: Update permissions:
``` ```
# kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth # kvmd-pstrun -- chmod 600 /var/lib/kvmd/pst/data/certbot/runroot/.route53.auth
``` ```
4. Obtain the certificate: 4. Obtain the certificate:
``` ```
# export AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth" # export AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth"
# kvmd-certbot certonly \ # kvmd-certbot certonly \
@ -161,18 +165,103 @@ This example shows that PiKVM may not be accessible from the internet, but you c
-d pikvm.example.com -d pikvm.example.com
``` ```
4. Enable automatic certificate renewal: 5. Enable automatic certificate renewal:
Create the file: `/etc/conf.d/kvmd-certbot` with the following contents so the renewall service can find the authentication file containing the AWS credentials: Create the file: `/etc/conf.d/kvmd-certbot` with the following contents so the renewall service can find the authentication file containing the AWS credentials:
``` ```
AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth" AWS_SHARED_CREDENTIALS_FILE="/var/lib/kvmd/pst/data/certbot/runroot/.route53.auth"
``` ```
Now enable the renewal service: Now enable the renewal service:
``` ```
# systemctl enable --now kvmd-certbot.timer # systemctl enable --now kvmd-certbot.timer
``` ```
## ACME DNS
[ACME DNS](https://github.com/joohoi/acme-dns) is a _"Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely."_ The [acme-dns-client](https://github.com/acme-dns/acme-dns-client) works, in conjunction, with Certbot (**`kvmd-certbot`**) to enable **`DNS-01`** challenge support via ACME DNS.
These instructions are for how to install and use the **`acme-dns-client`** with ACME DNS for PiKVM.
Assumptions:
- ACME DNS is already set up and functioning in the environment
- ACME DNS Server is **`auth.example.org`**
- PiKVM Fully Qualified Domain Name (FQDN) is **`pikvm.example.org`**
- PiKVM is running on a supported Raspberry Pi using the [PiKVM OS](https://github.com/pikvm/os) (which is 32-bit as of the writing of this documentation)
- All configuration examples below are as user **`root`** via a terminal session to PiKVM
Not in Scope:
- Installation and Setup of ACME DNS Server
1. Ensure that Step 1 from [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) has been completed
2. Visit the [Releases](https://github.com/acme-dns/acme-dns-client/releases) page to get the URL for the latest **`acme-dns-client`** release.
!!! note
PiKVM OS is 32-bit, which is **`linux_armv6`**.
3. Install **`acme-dns-client`**
The **`acme-dns-client`** is not distributed by **`pacman`** and is a manual installation. The steps below are for:
- Creating a folder for **`acme-dns-client`**
- Downloading and extracting the **`acme-dns-client`** TAR from Github
- Moving the **`acme-dns-client`** binary to the created folder
- Cleaning up files from the download
- Creating the necessary persistent symbolic link to allow **`acme-dns-client`** to be ran
- Initialize **`acme-dns-client`**
!!! note
Make sure to replace the URL below with the one gathered from Step 1. As of the writing of this documentation, the latest (and demonstrated) version is **v0.3**.
```sh
mkdir /etc/acmedns
curl -LO https://github.com/acme-dns/acme-dns-client/releases/download/v0.3/acme-dns-client_0.3_linux_armv6.tar.gz
tar -zxvf acme-dns-client_0.3_linux_armv6.tar.gz
mv acme-dns-client /etc/acmedns/acme-dns-client
ln -sf /etc/acmedns/acme-dns-client /usr/local/bin/acme-dns-client
rm LICENSE
rm README.md
rm acme-dns-client_0.3_linux_armv6.tar.gz
acme-dns-client
```
4. Register **`acme-dns-client`** with ACME DNS
!!! note
This is interactive, follow instructions for creating and verifying the appropriate `CNAME` record.
```sh
acme-dns-client register -d pikvm.example.org -s http://auth.example.org
```
Once registration is complete ownership of `clientstorage.json` must be changed to `kvmd-certbot`.
```sh
chown kvmd-certbot:kvmd-certbot /etc/acmedns/clientstorage.json
```
!!! note
If using `acme-dns-client` on an internal/private domain with an ACME compatible Certificate Authority do not forget to add `-ns <dns-server-ip>:<dns-server-port>` to `acme-dns-client register`
5. Register Certbot
```sh
kvmd-certbot register
```
6. Request Certificate via Certbot
```sh
kvmd-certbot certonly --manual --preferred-challenges dns --manual-auth-hook 'acme-dns-client' -d pikvm.example.org
```
!!! note
If using an ACME compatible Certificate Authority (other than Let's Encrypt) do not forget to add `--server https://ca.example.org/acme/acme/directory` to `kvmd-certbot`
7. Follow steps 3 through 5 under [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) to complete setup and renewal of certificates
## Wireguard proxy ## Wireguard proxy
If you don't have public IP, and you don't want to put your API keys in PiKVM, If you don't have public IP, and you don't want to put your API keys in PiKVM,
@ -181,6 +270,7 @@ serve ACME challenges from a host they can reach from the Internet (e.g. VPS),
to which you'll connect over wireguard. to which you'll connect over wireguard.
The example assumes: The example assumes:
- FQDN of your pikvm is `pikvm1.int.example`; - FQDN of your pikvm is `pikvm1.int.example`;
- FQDN of the proxy VPS is `acme-proxy.example`; - FQDN of the proxy VPS is `acme-proxy.example`;
- public IP addresses of VPS are `198.51.100.1` and `2001:db8::1`; - public IP addresses of VPS are `198.51.100.1` and `2001:db8::1`;
@ -189,6 +279,7 @@ The example assumes:
1. Setup wireguard and ensure it's working. 1. Setup wireguard and ensure it's working.
2. Setup public DNS zone to point the domain address at the public VPS: 2. Setup public DNS zone to point the domain address at the public VPS:
```zone ```zone
acme-proxy.example. IN A 198.51.100.1 acme-proxy.example. IN A 198.51.100.1
acme-proxy.example. IN AAAA 2001:db8::1 acme-proxy.example. IN AAAA 2001:db8::1
@ -197,6 +288,7 @@ The example assumes:
3. On the public VPS, configure HTTP proxy to forward 3. On the public VPS, configure HTTP proxy to forward
`/.well-known/acme-challenge` to PiKVM. For example in nginx: `/.well-known/acme-challenge` to PiKVM. For example in nginx:
```nginx ```nginx
server { server {
listen 80; listen 80;