Acme.sh run bash script after cert renwal

MacEncrypt · January 11, 2022, 10:47pm

At the moment we run the renwals of several servers manually using acme.sh v3.0+
The cron job is there to renew cert and it uses cloudflare token and this all works perfectly.
The issue we have is requiring further scripting to stop our particular mail server rename the cert and copy it into place and start the server - very trivial yes !
Is there a way or method to do this (as root) included in the acme.sh ?
The command is listed below and manually run prior to ssl expirey it has to be run as root
/usr/local/kerio/mailserver/keriomailserver stop
cp ~/.acme.sh/name.domain.com/fullchain.cer /usr/local/kerio/mailserver/sslcert/server.crt
cp ~/.acme.sh/name.domain.com/name.domain.com.key /usr/local/kerio/mailserver/sslcert/server.key
/usr/local/kerio/mailserver/keriomailserver start

Any help or pointers would be super appreciated !

_az · January 11, 2022, 11:41pm

I think acme.sh --install-cert is probably what you're looking for. Something like:

acme.sh --install-cert -d name.domain.com \
--key-file /usr/local/kerio/mailserver/sslcert/server.key \
--fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt \
--reloadcmd "/usr/local/kerio/mailserver/keriomailserver stop; /usr/local/kerio/mailserver/keriomailserver start"

acme.sh will remember to call it upon a successful renewal of your certificate.

MacEncrypt · January 11, 2022, 11:47pm

Fantastic ! To configure this as a cronjob for example for a cert that was renewed today (already) how can i do this without triggering a new cert call ? Thanks for you help so far !

_az · January 12, 2022, 1:25am

You don't need to cron this separately, acme.sh will remember to do it as part of its main renewal cron job.

Running this command won't trigger a renewal. You can run it now, once, and acme.sh will take care of automatically running it for future renewals.

MacEncrypt · January 12, 2022, 1:33am

Thankyou AZ have marked as solution off the back of your advise !

MacEncrypt · January 12, 2022, 3:43am

_az:

acme.sh --install-cert -d name.domain.com \
--key-file /usr/local/kerio/mailserver/sslcert/server.key \
--fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt \
--reloadcmd "/usr/local/kerio/mailserver/keriomailserver stop; /usr/local/kerio/mailserver/keriomailserver start"

@_az stupid question but how do I add the actual command ?

MacEncrypt · January 12, 2022, 3:54am

If i try to add acme.sh --install-cert -d name.domain.com it replies "unknown parameter :"

_az · January 12, 2022, 3:59am

If you paste all 4 lines, it should work.

Can you post a screenshot of what happens?

MacEncrypt · January 12, 2022, 4:03am

if i remove the \ and add the full path to the acme directory the first command works but doing the following command fails :
/Users/username/.acme.sh/acme.sh --key-file /usr/local/kerio/mailserver/sslcert/server.key
opens the help dialogue as below:

v3.0.1
Usage: acme.sh ... [parameters ...]
Commands:
-h, --help Show this help message.
-v, --version Show version info.
--install Install acme.sh to your system.
--uninstall Uninstall acme.sh, and uninstall the cron job.
--upgrade Upgrade acme.sh to the latest code from GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol.
--issue Issue a cert.
--deploy Deploy the cert to your server.
-i, --install-cert Install the issued cert to apache/nginx or any other server.
-r, --renew Renew a cert.
--renew-all Renew all the certs.
--revoke

_az · January 12, 2022, 4:07am

The thing should be a single command. The backslashes join each line together into one long command. Maybe try paste this:

acme.sh --install-cert -d name.domain.com --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver stop; /usr/local/kerio/mailserver/keriomailserver start"

MacEncrypt · January 12, 2022, 4:14am

yes im on the same plane i was just trying that as you typed heres the result :
bash-3.2# /Users/localname/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file "/usr/local/kerio/mailserver/sslcert/server.key" --fullchain-file "/usr/local/kerio/mailserver/sslcert/server.crt” --reloadcmd "/usr/local/kerio/mailserver/keriomailserver stop; /usr/local/kerio/mailserver/keriomailserver start”

[Wed 12 Jan 2022 15:11:56 AEDT] Unknown parameter : stop

Kerio Connect Script: Unknown parameter start”

bash-3.2#

_az · January 12, 2022, 4:16am

What if you just run this on its own:

  /usr/local/kerio/mailserver/keriomailserver stop

MacEncrypt · January 12, 2022, 4:16am

that will stop the mailserver

MacEncrypt · January 12, 2022, 4:18am

there is a RESTART command too

_az · January 12, 2022, 4:18am

So, I don't think the "unknown parameter" message is coming from acme.sh.

I want you to double check that the stop/start commands actually work on their own, because I don't think there's anything wrong with the acme.sh parts.

MacEncrypt · January 12, 2022, 4:18am

bash-3.2# /usr/local/kerio/mailserver/keriomailserver

Kerio Connect Script: Missing parameter. Use "start", "stop" or "restart".

MacEncrypt · January 12, 2022, 4:21am

/Users/localuser/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file "/usr/local/kerio/mailserver/sslcert/server.key" --fullchain-file "/usr/local/kerio/mailserver/sslcert/server.crt” --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart”

This should work right ? then acme.sh --install-cronjob to ensure its saved as cronjob ?

_az · January 12, 2022, 4:25am

Sure, give it a shot.

MacEncrypt · January 12, 2022, 4:28am

doesnt error doesnt give a new line just sits in terminal as

_az · January 12, 2022, 4:29am

Sounds like it worked to me!