public_git
/
pikvm
mirror of https://github.com/pikvm/pikvm.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed formatting issues for ACME DNS (#873)

This commit is contained in:
Jeremy Combs 2022-11-19 15:30:20 -05:00 committed by GitHub
parent df5388869b
commit 6716dc7ca1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 164 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
docs/letsencrypt.md
View File

@ -9,7 +9,6 @@ file system, special tools around Certbot are required to work with certificates
This feature is available on images as old as 2022.06.19 since it requires [PST storage partition on SD card](pst.md). This feature is available on images as old as 2022.06.19 since it requires [PST storage partition on SD card](pst.md).
Ports 80+443 need to be opened if you are port forwarding for this to work properly. Ports 80+443 need to be opened if you are port forwarding for this to work properly.
## Basic setup ## Basic setup
1. Update the OS and make sure that you are using a new image with [PST storage](pst.md). 1. Update the OS and make sure that you are using a new image with [PST storage](pst.md).
@ -51,7 +50,6 @@ file system, special tools around Certbot are required to work with certificates
# systemctl enable --now kvmd-certbot.timer # systemctl enable --now kvmd-certbot.timer
``` ```
## Cloudflare DNS ## Cloudflare DNS
This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use Cloudflare DNS. This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use Cloudflare DNS.
@ -60,7 +58,7 @@ This example shows that PiKVM may not be accessible from the internet, but you c
``` ```
# rw # rw
# pacman -Syu certbot-dns-cloudflare # pacman -S certbot-dns-cloudflare
``` ```
2. Prepare the environment for the DNS plugin (place the auth data): 2. Prepare the environment for the DNS plugin (place the auth data):
@ -86,7 +84,6 @@ This example shows that PiKVM may not be accessible from the internet, but you c
4. Next follow the basic guide. 4. Next follow the basic guide.
## Route53 DNS ## Route53 DNS
This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater. This example shows that PiKVM may not be accessible from the internet, but you can still get a certificate if you use AWS Route53 DNS. Make sure you are running an image newer than 2022.06.20 and kvmd version 3.119-1 or greater.
@ -95,12 +92,11 @@ This example shows that PiKVM may not be accessible from the internet, but you c
``` ```
# rw # rw
# pacman -Syu certbot-dns-route53 # pacman -S certbot-dns-route53
``` ```
2. Configure Your AWS User 2. Configure Your AWS User
For the certbot_dns_route53 plugin to work it needs to be able to connect to AWS using an access key with the correct permissions.
For the `certbot_dns_route53` plugin to work it needs to be able to connect to AWS using an access key with the correct permissions.
To do this securely youll want to create a new AWS user that only has the necessary permissions it needs to work. To do this securely youll want to create a new AWS user that only has the necessary permissions it needs to work.
@ -135,7 +131,7 @@ This example shows that PiKVM may not be accessible from the internet, but you c
We now need to put the AWS credentials on the PiKVM so the certbot can use them. We now need to put the AWS credentials on the PiKVM so the certbot can use them.
``` ```
kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot # kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
``` ```
Copy and paste your AWS credentials into the nano editor and save the file. Copy and paste your AWS credentials into the nano editor and save the file.
@ -184,31 +180,28 @@ This example shows that PiKVM may not be accessible from the internet, but you c
# systemctl enable --now kvmd-certbot.timer # systemctl enable --now kvmd-certbot.timer
``` ```
## ACME DNS ## ACME DNS
[ACME DNS](https://github.com/joohoi/acme-dns) is a _"Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely."_ The [acme-dns-client](https://github.com/acme-dns/acme-dns-client) works, in conjunction, with Certbot (**`kvmd-certbot`**) to enable **`DNS-01`** challenge support via ACME DNS. [ACME DNS](https://github.com/joohoi/acme-dns) is a _"Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely."_ The [acme-dns-client](https://github.com/acme-dns/acme-dns-client) works, in conjunction, with Certbot (**`kvmd-certbot`**) to enable **`DNS-01`** challenge support via ACME DNS.
These instructions are for how to install and use the **`acme-dns-client`** with ACME DNS for PiKVM. These instructions are for how to install and use the **`acme-dns-client`** with ACME DNS for PiKVM.
Assumptions: ### Assumptions
- ACME DNS is already set up and functioning in the environment - ACME DNS is already set up and functioning in the environment
- ACME DNS Server is **`auth.example.org`** - ACME DNS Server is **`auth.example.org`**
- PiKVM Fully Qualified Domain Name (FQDN) is **`pikvm.example.org`** - PiKVM Fully Qualified Domain Name (FQDN) is **`pikvm.example.org`**
- PiKVM is running on a supported Raspberry Pi using the [PiKVM OS](https://github.com/pikvm/os) (which is 32-bit as of the writing of this documentation) - PiKVM is running on a supported Raspberry Pi using the [PiKVM OS](https://github.com/pikvm/os) (which is 32-bit as of the writing of this documentation)
- All configuration examples below are as user **`root`** via a terminal session to PiKVM - All configuration examples below are as user **`root`** via a terminal session to PiKVM
Not in Scope: ### Not in Scope
- Installation and Setup of ACME DNS Server - Installation and Setup of ACME DNS Server
1. Ensure that Step 1 from [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) has been completed. ### Instructions
2. Visit the [Releases](https://github.com/acme-dns/acme-dns-client/releases) page to get the URL for the latest **`acme-dns-client`** release.
!!! note
PiKVM OS is 32-bit, which is **`linux_armv6`**.
1. Ensure that Step 1 from [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) has been completed
2. Visit the [Releases](https://github.com/acme-dns/acme-dns-client/releases) page to get the download URL for the latest **`acme-dns-client`** release (_PiKVM OS_ is 32-bit, which is **`linux_armv6`**)
3. Install **`acme-dns-client`** 3. Install **`acme-dns-client`**
The **`acme-dns-client`** is not distributed by **`pacman`** and is a manual installation. The steps below are for: The **`acme-dns-client`** is not distributed by **`pacman`** and is a manual installation. The steps below are for:
@ -221,7 +214,10 @@ Not in Scope:
- Initialize **`acme-dns-client`** - Initialize **`acme-dns-client`**
!!! note !!! note
Make sure to replace the URL below with the one gathered from Step 1. As of the writing of this documentation, the latest (and demonstrated) version is **v0.3**. Make sure to replace the URL below with the one gathered from Step 1.
As of the writing of this documentation:
- The latest (and demonstrated) version is **v0.3**
- (Demonstrated) Platform is **`linux-armv6`**
``` ```
# mkdir /etc/acmedns # mkdir /etc/acmedns
@ -229,9 +225,7 @@ Not in Scope:
# tar -zxvf acme-dns-client_0.3_linux_armv6.tar.gz # tar -zxvf acme-dns-client_0.3_linux_armv6.tar.gz
# mv acme-dns-client /etc/acmedns/acme-dns-client # mv acme-dns-client /etc/acmedns/acme-dns-client
# ln -sf /etc/acmedns/acme-dns-client /usr/local/bin/acme-dns-client # ln -sf /etc/acmedns/acme-dns-client /usr/local/bin/acme-dns-client
# rm LICENSE # rm LICENSE README.md acme-dns-client_0.3_linux_armv6.tar.gz
# rm README.md
# rm acme-dns-client_0.3_linux_armv6.tar.gz
# acme-dns-client # acme-dns-client
``` ```
@ -270,7 +264,6 @@ Not in Scope:
7. Follow steps 3 through 5 under [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) to complete setup and renewal of certificates 7. Follow steps 3 through 5 under [Basic Setup](https://docs.pikvm.org/letsencrypt/#basic-setup) to complete setup and renewal of certificates
## Wireguard proxy ## Wireguard proxy
If you don't have public IP, and you don't want to put your API keys in PiKVM, If you don't have public IP, and you don't want to put your API keys in PiKVM,
@ -278,13 +271,15 @@ you can forward HTTP traffic over wireguard. To Let's Encrypt you'll appear to
serve ACME challenges from a host they can reach from the Internet (e.g. VPS), serve ACME challenges from a host they can reach from the Internet (e.g. VPS),
to which you'll connect over wireguard. to which you'll connect over wireguard.
The example assumes: ### Assumptions
- FQDN of your pikvm is `pikvm1.int.example`; - FQDN of your pikvm is `pikvm1.int.example`;
- FQDN of the proxy VPS is `acme-proxy.example`; - FQDN of the proxy VPS is `acme-proxy.example`;
- public IP addresses of VPS are `198.51.100.1` and `2001:db8::1`; - public IP addresses of VPS are `198.51.100.1` and `2001:db8::1`;
- internal (wireguard) IPv4 address of the PiKVM is `10.11.12.13`. - internal (wireguard) IPv4 address of the PiKVM is `10.11.12.13`.
### Instructions
1. Setup wireguard and ensure it's working. 1. Setup wireguard and ensure it's working.
2. Setup public DNS zone to point the domain address at the public VPS: 2. Setup public DNS zone to point the domain address at the public VPS:
@ -295,7 +290,8 @@ The example assumes:
pikvm1.int.example. IN CNAME acme-proxy.example. pikvm1.int.example. IN CNAME acme-proxy.example.
``` ```
3. On the public VPS, configure HTTP proxy to forward `/.well-known/acme-challenge` to PiKVM. For example in nginx: 3. On the public VPS, configure HTTP proxy to forward
`/.well-known/acme-challenge` to PiKVM. For example in nginx:
```nginx ```nginx
server { server {