Inhaltsverzeichnis
ACME integracija
Složenost: Srednja
Trajanje: 1-2 sata postavljanja
Preduvjet: Pristup DNS/HTTP izazovu
Integracija ACME protokola (RFC 8555) za automatsku obnovu certifikata s Post-Quantum podrškom.
Arhitektura
sequenceDiagram
participant Client as ACME klijent
participant CA as ACME CA
participant DNS as DNS/HTTP Server
participant App as Aplikacija
Client->>CA: 1. Stvaranje računa
Client->>CA: 2. Stvaranje narudžbe (CSR)
CA->>Client: 3. Izazov (DNS-01/HTTP-01)
Client->>DNS: 4. Ispunjenje izazova
CA->>DNS: 5. Validacija izazova
CA->>Client: 6. Izdavanje certifikata
Client->>App: 7. Deploy certifikata
Client->>App: 8. Ponovno učitavanje servisa
Instalacija Certbota
# Debian/Ubuntu apt update && apt install certbot python3-certbot-nginx # RHEL/CentOS dnf install certbot python3-certbot-nginx # S DNS pluginom (Cloudflare) apt install python3-certbot-dns-cloudflare
HTTP-01 izazov
Za javno dostupne web servere:
# Nginx certbot --nginx -d example.com -d www.example.com # Apache certbot --apache -d example.com -d www.example.com # Samostalno (Port 80 slobodan) certbot certonly --standalone -d example.com # Webroot (postojeći server) certbot certonly --webroot -w /var/www/html -d example.com
Auto-Renewal Cron:
# Automatski aktivirano pri instalaciji certbota # Ručna provjera: systemctl status certbot.timer # Ručno testiranje certbot renew --dry-run
DNS-01 izazov
Za interne servere ili wildcards:
Cloudflare
# /etc/letsencrypt/cloudflare.ini dns_cloudflare_api_token = YOUR_API_TOKEN
chmod 600 /etc/letsencrypt/cloudflare.ini certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \ -d example.com \ -d "*.example.com"
Route53 (AWS)
# AWS vjerodajnice u ~/.aws/credentials certbot certonly \ --dns-route53 \ -d example.com \ -d "*.example.com"
Azure DNS
# S certbot-dns-azure pluginom pip install certbot-dns-azure certbot certonly \ --authenticator dns-azure \ --dns-azure-credentials /etc/letsencrypt/azure.ini \ -d example.com
Deployment Hooks
Hooks se izvršavaju nakon uspješne obnove.
Nginx Reload
# /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh #!/bin/bash systemctl reload nginx echo "$(date): Nginx reloaded" >> /var/log/certbot-deploy.log
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
Apache Reload
# /etc/letsencrypt/renewal-hooks/deploy/reload-apache.sh #!/bin/bash systemctl reload apache2
Docker Container
# /etc/letsencrypt/renewal-hooks/deploy/docker-reload.sh #!/bin/bash docker exec nginx nginx -s reload # ili docker-compose restart nginx
Obavijest
# /etc/letsencrypt/renewal-hooks/post/notify.sh #!/bin/bash DOMAINS=$(echo $RENEWED_DOMAINS | tr ' ' '\n') echo "Obnovljeno: $DOMAINS" | mail -s "Certifikat obnovljen" admin@example.com
Privatna ACME CA (Step-CA)
Za internu PKI s ACME podrškom:
# Instalacija Step-CA wget https://github.com/smallstep/certificates/releases/download/v0.25.0/step-ca_0.25.0_amd64.deb dpkg -i step-ca_0.25.0_amd64.deb # Inicijalizacija CA step ca init --name="Internal CA" --dns=ca.internal.example.com --address=:443
Dodavanje ACME Provisionera:
step ca provisioner add acme --type ACME
Certbot s privatnom CA:
certbot certonly \
--server https://ca.internal.example.com/acme/acme/directory \
--standalone \
-d internal-server.example.com
Post-Quantum napomena
Stanje 2024: ACME protokol i Let's Encrypt još ne podržavaju PQ potpise.
Hibridna strategija:
# 1. ACME certifikat za TLS handshake (ECDSA) certbot certonly --nginx -d example.com # 2. Dodatni PQ certifikat za hibridni način # (paralelno putem vlastite PKI s WvdS)
// C#: Stvaranje hibridnog certifikata paralelno using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384); var request = new CertificateRequest( "CN=example.com", ecdsa, HashAlgorithmName.SHA384); // S PQ ekstenzijom za klijente spremne za budućnost var cert = request.CreateSelfSigned( DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(90), CryptoMode.Hybrid);
Nadzor
# Certbot logovi tail -f /var/log/letsencrypt/letsencrypt.log # Provjera isteka certifikata certbot certificates # Prometheus Exporter (cert-exporter) # Prati sve certifikate za istek
Rješavanje problema
| Problem | Uzrok | Rješenje |
| ——— | ——- | ———- |
Challenge failed | Port 80/443 blokiran | Provjeriti vatrozid |
DNS propagation | DNS predmemorija | Čekati (do 60 min) ili smanjiti TTL |
Rate limit exceeded | Previše zahtjeva | Koristiti staging server |
unauthorized | Validacija domene nije uspjela | Provjeriti DNS zapise |
# Staging server za testove (bez rate limita) certbot certonly --staging --nginx -d test.example.com # Debug način certbot certonly --nginx -d example.com --debug
Kontrolna lista
| # | Točka provjere | Gotovo |
| — | —————- | ——– |
| 1 | DNS/HTTP izazov konfiguriran | ☐ |
| 2 | Certbot instaliran i testiran | ☐ |
| 3 | Auto-renewal aktiviran (Timer) | ☐ |
| 4 | Deploy-Hook konfiguriran | ☐ |
| 5 | Nadzor postavljen | ☐ |
| 6 | Obavijest o grešci | ☐ |
Povezana dokumentacija
- Zakazana obnova - Alternativa bez ACME
- Nadzor isteka - Praćenje certifikata
- TLS/mTLS - Konfiguracija servera
« <- Automatizacija | -> CI/CD potpisivanje koda »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 01:29
