I recently switched from acme.sh
to uacme
and noticed that the run-acme
wrapper script doesn't automatically open port 80 on the firewall to answer the http-01 challenge. Here's what I did to set it up to do that.
Caveats:
- I'm not going to cover setting up
uacme
. You should start with a setup that's working except that you had to manually add a firewall rule. -
uacme
does not bundle a web server the wayacme.sh
does, so you'll have to have uhttpd, nginx, etc. already running and already listening on port 80. - This setup will override an existing port forward for the duration of the ACME run, so if you normally have port 80 forwarded, that'll break briefly. (This could be confusing to visitors who don't expect to see LuCI!)
Add /etc/acme/user_setup.sh
with contents:
#!/bin/sh
set -eu
iptables -t nat -I prerouting_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME
Add /etc/acme/user_cleanup.sh
with contents:
#!/bin/sh
set -eu
iptables -t nat -D prerouting_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME || true
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME || true
Make both scripts executable:
chmod +x /etc/acme/user_*.sh
Configure uacme
to use them:
uci set acme.CERTNAME.user_setup=/etc/acme/user_setup.sh
uci set acme.CERTNAME.user_cleanup=/etc/acme/user_cleanup.sh
Test with /etc/init.d/acme start
and watch the log: logread -f
.