WebStats icon indicating copy to clipboard operation
WebStats copied to clipboard
verified publisher icon Dantevg

Automatic TLS certificate renewal using acme.sh

Open Dantevg opened this issue 1 year ago • 0 comments

This feature builds further on #23, by adding the functionality to work with acme.sh to automatically renew a TLS certificate to be used for WebStats HTTPS support. The reason to implement this in WebStats and not in a third-party plugin is just for convenience: I don't really want people to need to install a separate plugin to enable full automatic no-hassle HTTPS support.

Note to readers: I don't actually know if this will work this way because I have not tested it yet.

To do this, a new command along the lines of /webstats renew-certificate will be added. Either the user can set up a recurring task with their server software to run this command, or WebStats could provide a way to run this command periodically.

Renewal command behaviour

1. Install

  • No acme.sh in plugin directory yet (first use):
    1. Download latest acme.sh to plugin directory
    2. Install(?) with acme.sh --install-online --home "<full/path/to/plugin_dir/acme>" --no-cron --no-profile --email "<email>" (see advanced installation resource)
  • acme.sh already present:
    1. Update with acme.sh --upgrade --home "<full/path/to/plugin_dir/acme>"^acme-update

2. Issue or renew certificate

  • No certificate yet:
    1. Issue a new certificate: acme.sh --home "<plugin_dir/acme>" --issue --dns dns_duckdns -d mydomain.duckdns.org -d *.mydomain.duckdns.org^acme-duckdns
  • Certificate present already:
    1. Renew cerfificate: acme.sh --renew -d example.com --force^acme-renew

3. Convert certificate file

If the renewal was successful, we probably need to convert the generated files into a usable format with acme.sh --toPkcs -d <domain> [--password pfx-password]^acme-pkcs12

TODO: find out whether this is necessary.

4. Restart WebStats

Restart WebStats when acme.sh shell script has finished running.

Maybe: read the script's output to detect whether certificate renewal was successful, and display any errors in the server's console. TODO: figure out the output format of acme.sh

Config file

Something along these lines:

https: # already present
  # ...

  # The domain name to issue a TLS certificate for
  domain: mydomain.duckdns.org

  # The email address for Let's Encrypt
  email: [email protected]

Resources

  • acme.sh repository: https://github.com/acmesh-official/acme.sh
  • Advanced installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install#4-advanced-installation
    • Set --home to subdirectory of WebStats plugin directory
    • Set --accountemail to something specified in the plugin's config file
    • Disable cron with --no-cron (we will let acme.sh renew when we ask it to, this way there is no uninstallation necessary)
    • Disable ~/.bashrc profile with --no-profile (we don't need to add a shell alias)
  • Using DuckDNS API with acme.sh: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_duckdns
    • It would be nice if WebStats could support any target that acme.sh understands though
  • DuckDNS API: https://www.duckdns.org/spec.jsp

Dantevg avatar Mar 04 '24 17:03 Dantevg