From f1ffc9e55208e2a07c0770e89b74e128f3e06827 Mon Sep 17 00:00:00 2001 From: Paul Philippov Date: Thu, 9 Feb 2023 18:00:50 -0500 Subject: [PATCH] update and extend acme instruction --- en/acme-v2.md | 49 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/en/acme-v2.md b/en/acme-v2.md index a41c3b0..f205861 100644 --- a/en/acme-v2.md +++ b/en/acme-v2.md @@ -8,23 +8,58 @@ Make sure your camera is accessible from the Internet on both port 80 (HTTP) and port 443 (HTTPS). You might need to set up port forwarding on your router for that. -Create an ACME account: +### Create an ACME account: +__on camera:__ ```console $ uacme -y -v new ``` -Issue a certificate for your domain: +### Give your camera a FQDN +Secure HTTP (Hypertext Transfer Protocol Secure, HTTPS) cannot be issued to a bare IP address, +you need a Fully Qualified Domain Name (FQDN) for your camera. That is how your camera will +be accessed over HTTPS. + +Create an account with any Domain Name Register and register a domain name, e.g. _mysuperduperdomain.com_. + +Set up a DNS zone for that domain name and create a record for your camera in that domain zone. +``` +DNS Records +mysuperduperdomain.com +--------------------------------------- +Type Host IP Address TTL +A ipc-001 75.123.45.555 600 +``` +where `75.123.45.555` is your public IP address. + +### Set up port forwarding if your camera is behind NAT. + +Add port forwarding from port 80 of WAN interface to port 80 of your camera's local IP address. + +``` +75.123.45.555:80 => 192.168.1.10:80 +``` + +If you have several devices on your network serving public HTTP requests then add your +camera domain name to HTTP proxy. + +### Issue a certificate for your domain: + +__on camera__: ```console -$ uacme -y -v -h /usr/share/uacme/uacme.sh -t EC issue www.your.domain.com +$ uacme -y -v -h /usr/share/uacme/uacme.sh -t EC issue ipc-001.mysuperduperdomain.com ``` -If everything goes well, uacme will ask you to set up a challenge, e.g.: +### Set up a local DNS record override +You can add an override record to `/etc/hosts` file on your machine ``` -uacme: challenge=http-01 ident=www.your.domain.com token=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4 -key_auth=kZjqYgAss_sl4XXDfFq-jeQV1_lqsE76v2BoCGegFk4.2evcXalKLhAybRuxxE-HkSUihdzQ7ZDAKA9EZYrTXwU +echo "192.168.1.10 ipc-001.mysuperduperdomain.com" >> /etc/hosts ``` +or you could create a record on your local DNS server like [pi.hole](https://pi-hole.net/) +so that anyone using that DNS server could have secure access to the camera, too. -Restart majestic and test access to https://www.your.domain.com/ +### Restart majestic and test access + +Open your favorite web browser and go to https://ipc-001.mysuperduperdomain.com/