18 Stateless Mode

Andrea Cocito edited this page 2023-05-16 14:27:49 +02:00

Table of Contents

• Stateless Mode
• NGINX
• CADDY
• APACHE
• HAPROXY

Stateless Mode

Configure your webserver to respond statelessly to challenges for a given account key. This requires nothing more than a one-time web server configuration change and no "moving parts".

1. First get your account key thumbprint:

   root@ed:~# acme.sh --register-account
   [Mon Feb  6 21:40:18 CST 2017] Registering account
   [Mon Feb  6 21:40:19 CST 2017] Already registered
   [Mon Feb  6 21:40:21 CST 2017] Update success.
   [Mon Feb  6 21:40:21 CST 2017] ACCOUNT_THUMBPRINT='6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd'
   

   Remember the thumbprint in the last line: 6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd
2. Configure the web server to return the account key thumbprint:

   NGINX

   Add something similar to your nginx.conf:

   http {
   ...
     server {
     ...
       location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
         default_type text/plain;
         return 200 "$1.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd";
       }
     ...
     }
   }
   

   CADDY

   Add something similar to your Caddyfile:

   example.com {
     @achallenge {
       path_regexp ch ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$
    }
    respond @achallenge "{re.ch.1}.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd"
   

   APACHE

   Add something similar to your httpd.conf:

   LoadModule php7_module libexec/apache2/libphp7.so
   ...
   <VirtualHost *:80>
       ...
       <IfModule php7_module>
           AddType application/x-httpd-php .php
           AddType application/x-httpd-php-source .phps
           <IfModule dir_module>
               DirectoryIndex index.html index.php
           </IfModule>
       </IfModule>
       ...
       <Directory "/PATH/TO/WWW/ROOT/.well-known/acme-challenge/">
           RewriteEngine On
           RewriteRule "^[-_a-zA-Z0-9]+$" "index.php"
       </Directory>
       ...
   </VirtualHost>
   ...
   

   Then add /PATH/TO/WWW/ROOT/.well-known/acme-challenge/index.php:

   <?php
   header("Content-Type: text/plain");
   $token = array_pop(explode('/',$_SERVER['REQUEST_URI']));
   echo "$token.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd";
   ?>
   

   NOTE that this approach uses PHP but something similar could be done with CGI, Perl, Ruby or pretty much any other server-side language.

   HAPROXY

   Add the http-request return rule to your configuration:

   global
       setenv ACCOUNT_THUMBPRINT '6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd'
       log stderr local0
       stats socket /var/run/haproxy.sock level admin mode 0666
   
   frontend web
       log global
       option httplog
       mode  http
       bind :80
       bind :443 ssl crt /etc/haproxy/certs/
       http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_reg '^/.well-known/acme-challenge/[-_a-zA-Z0-9]+$' }
   

3. Ok, you can issue cert now.

acme.sh --issue -d example.com  --stateless

Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/

如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢