Acme.sh - possible to "install" a cert twice?

Yes, I’m going to be bad and delete the question template; I think the question is a little more general.

I’m putting a cert onto a a FreePBX system using DNS validation, which means I can’t use the built-in cert management. The method I’m following (see https://community.freepbx.org/t/lets-encrypt-dns-challenge-and-scripting/65903 for discussion) is using acme.sh to issue, followed by a separate acme.sh --install-cert command to put the files in the right place and reload the appropriate FreePBX services. It seems to work well so far.

That server also has Webmin on it, and I’d want to use the same cert for that service. But it wants the cert file in a different format (cat key cert > miniserv.pem), and in a different place. So my question is, if I run acme.sh --install-cert again with different locations and a different reload command, what will happen on renewal? Will acme.sh perform both “install” procedures? Or will the second replace the first?

The alternative, of course, is to create a simple script and call that from the reload command–also pretty simple. But if the first way would work, it would seem like more of a “clean” way to go.

1 Like

No, the last only. You should use --renew-hook, or --deploy-hook (format is different) not --reloadcmd.

(I don’t know if you can have several --deploy-hooks)

2 Likes

Kind of what I thought, thanks for confirming.

From the wiki (https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params):

–renew-hook Command to be run once for each successfully renewed certificate.
–deploy-hook The hook file to deploy cert
–reloadcmd “service nginx reload” After issue/renew, it’s used to reload the server.

I see that the descriptions are different, but I don’t see any difference in the practical effect of these three, except that --renew-hook does not run when you first issue/install a cert (and even that isn’t explicit in the docs). Other than that, I guess, “deploy” more accurately describes “copy and modify files and restart a service” than “reload” does, why should I prefer one over the other?

1 Like

renew-hook is a shell script you write, deploy-hook is one of these options.

I guess --reloadcmd is to be used with --install and --renew-hook with --renew

2 Likes

I don’t think that’s the case: https://github.com/acmesh-official/acme.sh/blob/master/acme.sh#L4770

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.