39 lines
1.3 KiB
Text
39 lines
1.3 KiB
Text
|
# /etc/acme-client.conf — Let's Encrypt via DNS-01 (Gandi)
|
||
|
|
#
|
||
|
|
# DNS-01 chosen because:
|
||
|
|
# - Doesn't expose port 80 to public during challenge
|
||
|
|
# - Allows wildcard certs (*.s8n.ru, *.veilor.uk)
|
||
|
|
# - Works behind WAF / restricted firewall
|
||
|
|
#
|
||
|
|
# Gandi LiveDNS API token in env var GANDI_TOKEN (set in rc.conf.local or
|
||
|
|
# pass via doas wrapper). Do NOT commit token to repo.
|
||
|
|
#
|
||
|
|
# Run: acme-client -v <domain>
|
||
|
|
# Auto-renew: weekly cron (see scripts/cert-renew-check.sh)
|
||
|
|
|
||
|
|
authority letsencrypt {
|
||
|
|
api url "https://acme-v02.api.letsencrypt.org/directory"
|
||
|
|
account key "/etc/acme/letsencrypt-privkey.pem"
|
||
|
|
}
|
||
|
|
|
||
|
|
# === s8n.ru wildcard ===
|
||
|
|
domain s8n.ru {
|
||
|
|
alternative names { "*.s8n.ru" "s8n.ru" }
|
||
|
|
domain key "/etc/ssl/private/s8n.ru.key"
|
||
|
|
domain certificate "/etc/ssl/s8n.ru.crt"
|
||
|
|
domain full chain certificate "/etc/ssl/s8n.ru.fullchain.pem"
|
||
|
|
sign with letsencrypt
|
||
|
|
challengedir "/var/www/acme"
|
||
|
|
# DNS-01 hook script: see scripts/gandi-dns-hook.sh
|
||
|
|
}
|
||
|
|
|
||
|
|
# === veilor.uk wildcard ===
|
||
|
|
domain veilor.uk {
|
||
|
|
alternative names { "*.veilor.uk" "veilor.uk" }
|
||
|
|
domain key "/etc/ssl/private/veilor.uk.key"
|
||
|
|
domain certificate "/etc/ssl/veilor.uk.crt"
|
||
|
|
domain full chain certificate "/etc/ssl/veilor.uk.fullchain.pem"
|
||
|
|
sign with letsencrypt
|
||
|
|
challengedir "/var/www/acme"
|
||
|
|
}
|