/acme-redirect

Tiny http daemon that answers acme challenges and redirects everything else to https

Primary LanguageRustGNU General Public License v3.0GPL-3.0

acme-redirect(1)

A tiny http daemon that answers acme challenges and redirects everything else to https.

A minimal configuration looks like this:

# cat /etc/acme-redirect.d/example.com.conf
[cert]
name = "example.com"
dns_names = [
    "example.com",
    "www.example.com",
]
exec = [
    "systemctl reload nginx",
]

You don't need to edit anything else. Start the acme-redirect daemon:

systemctl enable --now acme-redirect

Ensure the service is running correctly and the redirect works as expected. Ensure your A and AAAA records point to the right server and check everything is working correctly by fetching a random proof from our local daemon.

acme-redirect check

If OK is displayed for every name you can request a real certificates:

acme-redirect renew

If this succeeded you should setup automatic renew:

systemctl enable --now acme-redirect-renew.timer

The certificate is located here:

/var/lib/acme-redirect/live/example.com/fullchain
/var/lib/acme-redirect/live/example.com/privkey

Example configuration looks like this:

nginx

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /var/lib/acme-redirect/live/example.com/fullchain;
    ssl_certificate_key /var/lib/acme-redirect/live/example.com/privkey;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /var/lib/acme-redirect/live/example.com/chain;
    resolver 127.0.0.1;

    # ...
}

apache

<VirtualHost *:443>
    SSLEngine on

    SSLCertificateFile /var/lib/acme-redirect/live/example.com/fullchain
    SSLCertificateKeyFile /var/lib/acme-redirect/live/example.com/privkey

    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

lighttpd

server.modules += ("mod_openssl")
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable"
    ssl.privkey= "/var/lib/acme-redirect/live/example.com/privkey"
    ssl.pemfile= "/var/lib/acme-redirect/live/example.com/fullchain"
    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
    #ssl.ca-file= "/var/lib/acme-redirect/live/example.com/chain" # (needed in $SERVER["socket"] before lighttpd 1.4.56 if ssl.pemfile in $HTTP["host"])
}

Installation

Packaging status

Arch Linux

pacman -S acme-redirect

Debian based

Currently supported: bookworm

apt install debian-keyring
gpg --export --keyring /usr/share/keyrings/debian-maintainers.gpg git@rxv.cc | tee /etc/apt/trusted.gpg.d/apt-vulns-xyz.gpg > /dev/null
echo deb https://apt.vulns.xyz stable main >> /etc/apt/sources.list.d/apt-vulns-xyz.list
apt update && apt install acme-redirect

Build from source

git clone https://github.com/kpcyrd/acme-redirect.git
cd acme-redirect/
cargo build --release

install -Dm 755 -t /usr/bin \
    target/release/acme-redirect

install -Dm 644 contrib/confs/acme-redirect.conf -t /etc
install -Dm 644 contrib/confs/certs.d/example.com.conf /etc/acme-redirect.d/example.com.conf.sample

install -Dm 644 -t /etc/systemd/system \
    contrib/systemd/acme-redirect-renew.service \
    contrib/systemd/acme-redirect-renew.timer \
    contrib/systemd/acme-redirect.service
install -Dm 644 contrib/systemd/acme-redirect.sysusers /etc/sysusers.d/acme-redirect.conf
install -Dm 644 contrib/systemd/acme-redirect.tmpfiles /etc/tmpfiles.d/acme-redirect.conf

sudo systemd-sysusers
sudo systemd-tmpfiles --create

Status

I'm using this in production since summer 2020 (northern hemisphere, around May).

Development

mkdir -vp tmp/challs
export ACME_CONFIG="$PWD/contrib/confs/acme-redirect.conf"
export ACME_CONFIG_DIR="$PWD/contrib/confs/certs.d/"
export ACME_CHALL_DIR="$PWD/tmp/"
export ACME_DATA_DIR="$PWD/tmp/"

cargo run -- status
cargo run -- daemon -B '[::]:8080' -v

boxxy

acme-redirect uses setuid and chroot to drop privileges before accepting requests. This can be inspected with boxxy.

mkdir -vp tmp/web
sudo chown root. tmp/web
cargo build --examples
(cd tmp/web && sudo ../../target/debug/examples/boxxy)

License

GPLv3+