/munetakaJupyterHub/Computer/2024/ACME/05-StandaloneModeWithSocat.md

&sect'2024-11-05, by ChatGOT

To use acme.sh in standalone mode with socat, you'll need to run acme.sh to request a certificate from a Certificate Authority (CA) like Let's Encrypt, while using socat to handle the HTTP challenge response over port 80. Here's a step-by-step guide to achieve this:

試作機器：　mail.yushei.net, Ubuntu 22.04.5 LTS

create a user acmeuser

alexlai@mail:~$ sudo adduser acmeuser
[sudo] password for alexlai: 
Adding user `acmeuser' ...
Adding new group `acmeuser' (1000) ...
Adding new user `acmeuser' (1000) with group `acmeuser' ...
Creating home directory `/home/acmeuser' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for acmeuser
Enter the new value, or press ENTER for the default
	Full Name []: acmeuser
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
alexlai@mail:~$ sudo usermod -aG sudo acmeuser
alexlai@mail:~$

install acme.sh

if not installed

acmeuser@mail:~$ mkdir build && cd $_
acmeuser@mail:~/build$ git clone --depth 1 https://github.com/acmesh-official/acme.sh.git

acmeuser@mail:~/build$ cd acme.sh/

acmeuser@mail:~/build/acme.sh$ ls -l
total 308
-rwxrwxr-x 1 acmeuser acmeuser 226005 Nov  5 14:40 acme.sh
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  5 14:40 deploy
drwxrwxr-x 2 acmeuser acmeuser   8192 Nov  5 14:40 dnsapi
-rw-rw-r-- 1 acmeuser acmeuser   1528 Nov  5 14:40 Dockerfile
-rw-rw-r-- 1 acmeuser acmeuser  35149 Nov  5 14:40 LICENSE.md
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  5 14:40 notify
-rw-rw-r-- 1 acmeuser acmeuser  22455 Nov  5 14:40 README.md

acmeuser@mail:~/build/acme.sh$ ./acme.sh --install --email alexlai@yushei.net 
[Tue Nov  5 02:44:21 PM CST 2024] Installing to /home/acmeuser/.acme.sh
[Tue Nov  5 02:44:21 PM CST 2024] Installed to /home/acmeuser/.acme.sh/acme.sh
[Tue Nov  5 02:44:21 PM CST 2024] Installing alias to '/home/acmeuser/.bashrc'
[Tue Nov  5 02:44:21 PM CST 2024] Close and reopen your terminal to start using acme.sh
[Tue Nov  5 02:44:21 PM CST 2024] Installing cron job
no crontab for acmeuser
no crontab for acmeuser
[Tue Nov  5 02:44:21 PM CST 2024] bash has been found. Changing the shebang to use bash as preferred.
[Tue Nov  5 02:44:23 PM CST 2024] OK

. "/home/acmeuser/.acme.sh/acme.sh.env" will be added to ~/.basrc

relogin or source

acmeuser@mail:~/build/acme.sh$ source ~/.bashrc 
acmeuser@mail:~/build/acme.sh$ command -v acme.sh 
alias acme.sh='/home/acmeuser/.acme.sh/acme.sh'

install socat

acmeuser@mail:~/build/acme.sh$ sudo apt install socat

Firewall: Ensure that port 80 (HTTP) is open and not being used by another service like Apache or Nginx.

on mail.yushei.net machine

acmeuser@mail:~/build/acme.sh$ sudo systemctl stop nginx
acmeuser@mail:~/build/acme.sh$ curl localhost:80
curl: (7) Failed to connect to localhost port 80 after 0 ms: Connection refused

Run acme.sh in standalone mode with socat

In standalone mode, acme.sh uses a temporary web server to respond to the HTTP-01 challenge. You can use socat to forward the HTTP traffic to acme.sh.

3.1. Start the ACME challenge server:

acme.sh use letsencrypt as default ??

acmeuser@mail:~/build/acme.sh$ acme.sh --issue --standalone -d munetaka.me --server letsencrypt
[Tue Nov  5 03:14:22 PM CST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Nov  5 03:14:22 PM CST 2024] Standalone mode.
[Tue Nov  5 03:14:22 PM CST 2024] Account key creation OK.
[Tue Nov  5 03:14:22 PM CST 2024] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue Nov  5 03:14:24 PM CST 2024] Registered
[Tue Nov  5 03:14:24 PM CST 2024] ACCOUNT_THUMBPRINT='cLXz0ZHFx6Osm0Akt6tueGjxNNNkEC_FNNXXBfgPbq8'
[Tue Nov  5 03:14:24 PM CST 2024] Creating domain key
[Tue Nov  5 03:14:24 PM CST 2024] The domain key is here: /home/acmeuser/.acme.sh/munetaka.me_ecc/munetaka.me.key
[Tue Nov  5 03:14:24 PM CST 2024] Single domain='munetaka.me'
[Tue Nov  5 03:14:26 PM CST 2024] Getting webroot for domain='munetaka.me'
[Tue Nov  5 03:14:26 PM CST 2024] Verifying: munetaka.me
[Tue Nov  5 03:14:26 PM CST 2024] Standalone mode server
[Tue Nov  5 03:14:26 PM CST 2024] socat: 2024/11/05 15:14:26 socat[42188] E bind(5, {AF=2 0.0.0.0:80}, 16): Permission denied
[Tue Nov  5 03:14:26 PM CST 2024] Can not listen for user: acmeuser
[Tue Nov  5 03:14:26 PM CST 2024] Maybe try with root again?
/home/acmeuser/.acme.sh/acme.sh: line 2568: kill: (42188) - No such process
[Tue Nov  5 03:14:26 PM CST 2024] Please add '--debug' or '--log' to see more information.
[Tue Nov  5 03:14:26 PM CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

This command tells acme.sh to request a certificate for the domain yourdomain.com using the standalone mode.

Forward HTTP traffic to acme.sh using socat:

If you are using socat, you'll need to make sure that it forwards the HTTP traffic on port 80 to acme.sh's local challenge server.

The socat command typically looks like this:

bash Copy code socat TCP-LISTEN:80,fork TCP:127.0.0.1:80 This command tells socat to listen on port 80 and forward incoming connections to acme.sh's built-in HTTP server (which will be running locally on 127.0.0.1:80).

Step 2: Complete the challenge

Once you've run both the acme.sh command and socat, acme.sh will automatically handle the challenge process. It will:

Create the necessary challenge file (e.g., /.well-known/acme-challenge/). Use socat to forward incoming HTTP requests to the challenge. Allow the Certificate Authority (like Let's Encrypt) to validate your ownership of the domain. Once the challenge is successfully passed, acme.sh will issue your SSL certificate.

Step 3: Retrieve and install the certificate

If the certificate request is successful, acme.sh will output the paths to the generated certificate files. You can use these files for your server configuration.

To list the certificates:

bash Copy code acme.sh --list To install the certificate (for example, if you're using Nginx):

bash Copy code acme.sh --install-cert -d yourdomain.com
--key-file /path/to/keyfile
--fullchain-file /path/to/fullchainfile
--cert-file /path/to/certfile
--reloadcmd "systemctl reload nginx"

¶Summary of Commands:

Start acme.sh in standalone mode:

bash Copy code acme.sh --issue --standalone -d yourdomain.com Use socat to forward HTTP traffic:

bash Copy code socat TCP-LISTEN:80,fork TCP:127.0.0.1:80 Once the challenge is completed successfully, install the certificate using:

bash Copy code acme.sh --install-cert -d yourdomain.com --key-file /path/to/keyfile --fullchain-file /path/to/fullchainfile --cert-file /path/to/certfile --reloadcmd "systemctl reload nginx"

That's it! Your SSL certificate should be issued and ready to use.

acme.sh --install-cert -d munetaka.me
--key-file /home/acmeuser/certs/keyfile
--fullchain-file /home/acmeuser/certs/fullchainfile
--cert-file /home/acmeuser/certs/certfile