]> git.street.me.uk Git - andy/dehydrated.git/blame - docs/wellknown.md
projects / andy / dehydrated.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Output date and time when performing --cron task.
[andy/dehydrated.git] / docs / wellknown.md
CommitLineData
12c77ca5
LS		 1# WELLKNOWN
2
969bebef
LS		 3With `http-01`-type verification (default in this script, there is also support for [dns based verification](dns-verification.md)) Let's Encrypt (or the ACME-protocol in general) is checking if you are in control of a domain by accessing a verification file on an URL similar to `http://example.org/.well-known/acme-challenge/m4g1C-t0k3n`.
4It will do that for any (sub-)domain you want to sign a certificate for.
12c77ca5 5
969bebef 6At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).
12c77ca5 7
ec49a443 8dehydrated has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.
12c77ca5 9
969bebef 10If you only have one docroot on your server you could easily do something like `WELLKNOWN=/var/www/.well-known/acme-challenge`, for anything else look at the example below.
12c77ca5 11
969bebef 12## Example Usage
12c77ca5 13
969bebef
LS		 14If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.
15
64e35463 16An example would be to create a directory `/var/www/dehydrated` and set `WELLKNOWN=/var/www/dehydrated` in the scripts config.
969bebef
LS		 17
18You'll need to configure aliases on your Webserver:
19
20### Nginx example config
21
22With Nginx you'll need to add this to any of your `server`/VHost config blocks:
12c77ca5
LS		 23
24```nginx
25server {
26 [...]
27 location /.well-known/acme-challenge {
64e35463 28 alias /var/www/dehydrated;
12c77ca5
LS		 29 }
30 [...]
31}
32```
33
969bebef
LS		 34### Apache example config
35
36With Apache just add this to your config and it should work in any VHost:
12c77ca5
LS		 37
38```apache
64e35463 39Alias /.well-known/acme-challenge /var/www/dehydrated
12c77ca5 40
64e35463 41<Directory /var/www/dehydrated>
12c77ca5
LS		 42 Options None
43 AllowOverride None
f0a92dfa
ER		 44
45 # Apache 2.x
46 <IfModule !mod_authz_core.c>
47 Order allow,deny
48 Allow from all
49 </IfModule>
969bebef 50
f0a92dfa
ER		 51 # Apache 2.4
52 <IfModule mod_authz_core.c>
53 Require all granted
54 </IfModule>
12c77ca5
LS		 55</Directory>
56```
ae98ff67
DPK		 57
58### Lighttpd example config
59
60With Lighttpd just add this to your config and it should work in any VHost:
61
62```lighttpd
d62a5eeb 63server.modules += ("alias")
ae98ff67 64alias.url += (
d62a5eeb 65 "/.well-known/acme-challenge/" => "/var/www/dehydrated/",
ae98ff67
DPK		 66)
67```
ACME client