git: fqa.9front.org

--- a/fqa7.ms

+++ b/fqa7.ms

@@ -1939,36 +1939,52 @@

 The following prepares an identity and certificate signing request, so that a certificate can be requested via the ACME protocol.

 .ihtml a <a href="https://letsencrypt.org">

-Letsencrypt

+Letsencrypt,

 .ihtml a

-is a popular ACME provider.

+a popular ACME provider, is the default.

.P1

-auth/rsagen -t 'service=acme role=sign hash=sha256 acct=a@b.org'\\

-	>acct.key

-auth/rsa2jwk acct.key >/sys/lib/tls/acmed/me@example.org.pub

-auth/rsagen -t 'service=tls owner=*' >/sys/lib/tls/key

-auth/rsa2csr 'CN=fakedom.com' /sys/lib/tls/key \\

-	>/sys/lib/tls/acmed/fakedom.com.csr} \\

+ramfs -p

+cd /tmp

+auth/rsagen -t 'service=acme role=sign hash=sha256 acct=user@domain.com'\\

+	>user@domain.key

+auth/rsa2jwk user@domain.key >/sys/lib/tls/acmed/user@domain.com.pub

+cat user@domain.key > /mnt/factotum/ctl

+auth/rsagen -t 'service=tls owner=*' >/sys/lib/tls/acmed/domain.com.key

+chmod 600 user@domain.key domain.com.key

+cp user@domain.key domain.com.key /sys/lib/tls/acmed/

+auth/rsa2csr 'CN=domain.com' /sys/lib/tls/domain.com.key \\

+	>/sys/lib/tls/acmed/domain.com.csr} \\

.P2

+Note: Multi-domain certificates can be created with the notation

+.CW

+CN=domain1.com,domain2.com

+.R

 The following uses the CSR from above, and fetches a newly signed certificate:

.P1

-auth/acmed me@example.com fakedom.com.csr \\

-	>fakedom.com.crt

+auth/acmed -o /path/to/.well-known/acme-challenge user@domain.com \\

+	/sys/lib/tls/acmed/domain.com.csr >/sys/lib/tls/acmed/domain.com.crt

.P2

 This requires the output directory (by default, /usr/web/.well-known/acme-challenge) to be served over

-http. It must appear as a directory available at

+HTTP. It must appear as a directory available at

.P1

-http://fakedom.com/.well/known/acme-challenge

+http://domain.com/.well-known/acme-challenge

.P2

 containing the challenge files generated by

 .CW auth/acmed .

+Note: If multi-domain, you may use the same

+.CW

+.well-known/acme-challenge

+.R

+disk directory to handle challenges for all domains by arranging for the webserver to bind the correct directory over a dummy directory under each domain.

 Alternatively, the challenges can be completed using DNS.

 This requires your ndb to include the ndb snippet generated by

 .CW auth/acmed :

@@ -1978,6 +1994,27 @@

...

 	file=/lib/ndb/dnschallenge

.P2

+To load the key into the server's

+.CW factotum

+at boot time, add the following line to

+.CW /cfg/$sysname/cpustart :

+.P1

+cat /sys/lib/tls/acmed/domain.com.key >>/mnt/factotum/ctl

+.P2

+Note: When using Letsencrypt, it is advisable to troubleshoot by running

+.CW acmed

+with the

+.CW -d

+and

+.CW

+-p https://acme-staging-v02.api.letsencrypt.org/directory

+.R

+flags to enable more verbose output and to avoid Letsencrypt's request throttling.

+Once things are working, remember to remove the

+.CW -p

+flag and run again to generate your final certificate.

 Read:

 .ihtml a <a href="http://man.9front.org/8/acmed">

--

⑨