Acme.sh run bash script after cert renwal

MacEncrypt · January 12, 2022, 4:46am

no it displays ">"

MacEncrypt · January 12, 2022, 4:51am

if i try with no "" i get

bash-3.2# /Users/localuser/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd /usr/local/kerio/mailserver/keriomailserver restart

[Wed 12 Jan 2022 15:49:33 AEDT] Unknown parameter : restart

MacEncrypt · January 12, 2022, 4:57am

ok it finally worked and actually ran the whole thing including restating the live server by only " " the relaoad-cmd so the exact command below for OSX system :

/Users/localuser/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"

Thankyou AZ !

MacEncrypt · January 12, 2022, 6:25am

Does that mean the cron i just added now will restart the service every day ? If the server had no cron job in the first place ?

_az · January 12, 2022, 6:28am

The cronjob will run every day, yes, but it won't do anything unless a certificate is due to be renewed.

MacEncrypt · January 12, 2022, 11:52pm

if there is only one cron job and that is the above how can i ensure the certs will be renewed ?
is there a command to check the renewal process is set and functional ?

_az · January 14, 2022, 4:57am

There's one main acme.sh cronjob which acme.sh install itself:

# crontab -l
7 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

That cronjob will call the acme.sh --install-cert for you, at the appropriate time.

I'm not sure, I don't think acme.sh has a dry-run sort of command. You might try setting a calendar reminder 1 week prior to the expiry of your certificate, and check that your mailserver is using the new certificate at that point.

MacEncrypt · January 14, 2022, 9:34pm

Cheers AZ, after getting the reaload process set right i made a cron for each but there wasnt an existing cronjob

MacEncrypt · February 9, 2022, 2:10am

Sorry to resurect this like a ZOMBIE from the dead but im still unclear on the process here
my acme.sh files are in NON root homes (this is what the developer states is GOOD about acme.sh)
so my keys live in as an example "/Users/localuser/.acme.sh/acme.sh/keys" my command i need to run to reboot the server has to be done via ROOT as a standard user doesnt have elevation and SUDO would require human interaction, my cron job is in ROOT and I can only run the job tuesday to friday as backups occur that cannot have the service restart and disrupt them. Is it correct that IF the "localuser" runs a command ONCE that acme remembers this for its ROOT CRON renewal ? Here also is an example of the crontab in root that i edited to ensure the cert doesnt change during time when the server is backing up
10 5 * * 1-5 "/Users/localuser/.acme.sh"/acme.sh --cron --home "/Users/localuser/.acme.sh" > /dev/null
Or does the ROOT cron job have to have the parameters set for the restarting of the server.

rg305 · February 9, 2022, 2:28am

Please better explain the difference between "service restart" and "server restart", why they are being used, and what the desired goal is.

As I see it, the main purpose if the cron job is to renew the cert (by default).
Any job triggered can be attached with a service restart (in various ways).
And even a server restart [but I can't understand why that would ever be necessary].

MacEncrypt · February 9, 2022, 2:45am

Hi Rg Thankyou for replying, the service is an SMTP "server" the "server" wont recognise the renewed certificate unless the service (not the whole hardware) is restarted, to add to the mix the service requires the keys and cert to be renamed which you can see in the example. The command I have cobbled together is : /Users/localuser/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"
This works when run manually and the last cert was created using it. I just have not seen the cert change since the last manual run, the current cert is due to expire 25th March. My worry is a) ive altered a cron job incorrectly and b) it wont run as its a mix of root and localuser permissions.

rg305 · February 9, 2022, 4:35am

I think you could break the large single cron into two (or more) distinct steps.

Like:

renew cert
[check twice daily]
restart kerio
[restart (or, if possible, reload) it as often as you like - say... once a week, during off hours]

In doing so, Kerio will always have the latest cert.
And should anything go "wrong", you will be better suited to address the problem directly.

Check list:

did the cert renew?
did the latest cert files get placed into the correct location?
did Kerio restart (on schedule)?

MacEncrypt · February 9, 2022, 5:01am

Thanks @rg305, im stumped as to how the below

Users/localuser/.acme.sh/acme.sh --install-cert -d name.domain.com -d autodiscover.domain.com --key-file /usr/local/kerio/mailserver/sslcert/server.key --fullchain-file /usr/local/kerio/mailserver/sslcert/server.crt --reloadcmd "/usr/local/kerio/mailserver/keriomailserver restart"

runs without being an actual visual cron command.
I have only one crontab in root nothing in the standard user where the cert resides, is it some magical juice that acme caches ? My whole setup relies on acme doing some voodoo i cannot test then the root crontab does its thing

rg305 · February 9, 2022, 8:39am

The command shown is far from what would be expected to be found in cron.

If that is related, please show it.

It may seem like it, but it is far from that.
[ACME <> voodoo]

9peppe · February 9, 2022, 12:15pm

One -d only, in that context it refers to the certificate name. (The first column in acme.sh --list)

MacEncrypt · February 9, 2022, 10:23pm

bash-3.2# crontab -l

10 5 * * 1-5 "/Users/localuser/.acme.sh"/acme.sh --cron --home "/Users/localuser/.acme.sh" > /dev/null

MacEncrypt · February 9, 2022, 10:26pm

Thankyou that command shows that its renewal date as below

LetsEncrypt.org Wed Jan 12 18:10:44 UTC 2022 Sun Mar 13 18:10:44 UTC 2022

rg305 · February 9, 2022, 10:50pm

The cron "looks" normal.
But it won't actually try to renew until Mar 13 2022 [as shown by --list]
Since the 13th will be a Sunday, it might be until the 14th before you can see if it works.

MacEncrypt · February 9, 2022, 10:52pm

I made the edit to 1-5 to ensure that if it DOES update it wont cause the server to potentially reboot during a live backup, hopefully that isnt too restrictive ?

rg305 · February 9, 2022, 10:55pm

I don't see how acme.sh can cause the server to reboot.
If that is happening, then you do have a serious problem.
Unless, this is somehow triggering it: