Mastodawn

uvok cheetah Sep 6, 2025

Managed to setup certificate renewal on my OpenWRT with some hacking.

root@OpenWrt-ER:/etc/uacme# cat uacme.sh
#!/bin/sh -x

## uacme wrapper
## set all the default arguments

uacme -a https://srv-acme.lan/acme/acme/directory -v -c /etc/uacme -t ec $@
root@OpenWrt-ER:/etc/uacme# cat owrt.sh
#!/bin/sh -x

# wrapper for uacme.sh, i.e. the issue/renewal hook
# needed because OWRT removed CHALLENGE_PATH from the upstream script?

export CHALLENGE_PATH="/www/.well-known/acme-challenge/"
/usr/share/uacme/uacme.sh $@

#openwrt #acme #uacme

Felix Palmen 📯Mar 27, 2024

Goal: Get some #letsencrypt certificate obtained with #uacme deployed on some #Windows box

Step 1: Ok, this probably works best with #Powershell (which I don't really like ...)

Step 2: There's no #FreeBSD port ... but hey, there's now a FreeBSD port of #dotnet, let's try to "just" build Powershell using that.

Step 3: Hell why does it fail to build. Oh, System.Security.Cryptography.Native doesn't play well with #LibreSSL

Patch and retry, I guess I'll take some sleep now first. Bah!

(there's some irony in running into OpenSSL/LibreSSL issues when trying to deploy TLS certificates ...)

Show thread

Felix Palmen 📯Mar 26, 2024

@jhx For writing some kind of "howto", I'll have to find a sane scope ... otherwise there would be just too much to describe I guess 😮

I could of course assume you already have

- network segmentation with a #DMZ
- a working "domain" setup with a directory and #DNS (e.g. #samba, but could be #OpenLDAP with #bind9 as well)
- (virtual) machines providing #RDP (with #xrdp in case of #Linux or #FreeBSD)
- a working mechanism to distribute X.509 #TLS #certificates (I request them from #letsencrypt using #uacme and distribute them with simple shell scripts using special-purpose restricted #SSH keys)