I recently switched from acme.sh to uacme and noticed that the run-acme wrapper script doesn't automatically open port 80 on the firewall to answer the http-01 challenge. Here's what I did to set it up to do that.
Caveats:
- I'm not going to cover setting up
uacme. You should start with a setup that's working except that you had to manually add a firewall rule. -
uacmedoes not bundle a web server the wayacme.shdoes, so you'll have to have uhttpd, nginx, etc. already running and already listening on port 80. - This setup will override an existing port forward for the duration of the ACME run, so if you normally have port 80 forwarded, that'll break briefly. (This could be confusing to visitors who don't expect to see LuCI!)
Add /etc/acme/user_setup.sh with contents:
#!/bin/sh
set -eu
iptables -t nat -I prerouting_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME
Add /etc/acme/user_cleanup.sh with contents:
#!/bin/sh
set -eu
iptables -t nat -D prerouting_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME || true
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment ACME || true
Make both scripts executable:
chmod +x /etc/acme/user_*.sh
Configure uacme to use them:
uci set acme.CERTNAME.user_setup=/etc/acme/user_setup.sh
uci set acme.CERTNAME.user_cleanup=/etc/acme/user_cleanup.sh
Test with /etc/init.d/acme start and watch the log: logread -f.