On the webserver, I created a directory, /var/db/certs-for-rsync/ and a user, rsyncer. I’m describing the the webserver side first because it requires an ssh-key which will be needed for the rsync jail configuration. In short, any time you can share data read-only, you should. The data contained there is cannot be written by anything in the rsync jail. usr/jails/certs-rsync/var/db/certs-for-rsync is the mount point with the rsync jail (which I named certs-rsync). usr/jails/certs/var/db/certs-for-rsync is mounted in the acme.sh jail (in my case, the actual jail name is certs). Here is that nullfs I use: /usr/jails/certs/var/db/certs-for-rsync /usr/jails/certs-rsync/var/db/certs-for-rsync nullfs ro 0 0 This allows files written in one jail to be shared, read-only via a nullfs mount, with another jail. This solution assumes that the acme.sh jail and the rsync jail are on the same host. I will assume you have read my previous post where I describe the cert-shifter process. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I use anvil to distribute those certificates. In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |