====== Certificates ======

Most everything makes use of [[https://github.com/acmesh-official/acme.sh|ACME.sh]], with auto-renewing certificates from LetsEncrypt and Cloudflare domain verification.


<WRAP center round tip 60%>
[[https://CRT.sh|CRT.sh]] is a good resource for viewing certificates issued for a domain
</WRAP>

----

===== Deploying a Cert with ACME.sh =====
==== Cloudflare DNS verification ====
1. Set environment variables
<code bash>
export CF_Token="pybhqsynervfirelpbby"
export CF_Account_ID="pybhqsynervfirelpbby"
export CF_Zone_ID="pybhqsynervfirelpbby"
</code>
2. Generate cert
<code bash>
acme.sh --issue --dns dns_cf -d example.com
</code>

==== Webroot Verification ====
<code bash>
acme.sh --issue -d example.com -w /var/www/example.com/
</code>

==== ACME.sh Deployment ====
<code bash>
export DOMAIN=example.com

# 1. Create Certificate Path
mkdir -p /etc/nginx/acme.sh/${DOMAIN}/

# 2. Tell acme.sh about it
acme.sh --install-cert -d ${DOMAIN} \
--cert-file /etc/nginx/acme.sh/${DOMAIN}/cert \
--key-file /etc/nginx/acme.sh/${DOMAIN}/key \
--fullchain-file /etc/nginx/acme.sh/${DOMAIN}/fullchain \
--reloadcmd "systemctl reload nginx.service"
</code>

Then in NGINX config...
<code>
ssl_certificate /etc/nginx/acme.sh/example.com/fullchain;
ssl_certificate_key /etc/nginx/acme.sh/example.com/key;
</code>