Acme.sh - update account.conf from CLI w/o new cert


#1

tl;dr: How would I tell acme.sh to use webroot rather than standalone on renewal, after having issued the initial cert using standalone?

Background: I’ve put together a script to automate setting up Nextcloud in a jail on FreeNAS. It creates the jail, installs the relevant packages, puts appropriate config files in place, sets up the database, obtains a cert using acme.sh, etc. The apache configuration redirects all HTTP traffic to HTTPS.

Because I don’t want to mess with two separate apache configs, I first obtain the cert using acme.sh in standalone mode, then start apache. But now that apache is running, I don’t want (and shouldn’t need) to stop it to renew the cert. I address this, once apache is running, by doing:

acme.sh --issue -d ${HOST_NAME} -w /usr/local/www/apache24/data -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

My assumption was that this would run, see that no new cert was needed (since the existing cert is only a few minutes old), but still update account.conf to use webroot rather than standalone. Apparently it doesn’t.

I could, of course, just use --force to force issuance, which would also update account.conf, but that burns two issuances’ worth of rate limits. This could result in problems for users, not to mention it just seems kind of wasteful. Is there a way to do what I’m looking to do through acme.sh directly, or am I going to need to just mess with account.conf itself?


#2

Hi @danb35,

I’m afraid that you should fight with the conf file :wink:

If you already issued the certificate in standalone mode using these options -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload" you only need to change:

Le_Webroot='no'

by this:

Le_Webroot='/usr/local/www/apache24/data'

Maybe you didn’t include the reload command when issued the cert in standalone, if that is the case, simply add this variable:

Le_ReloadCmd='service apache24 reload'

If you didn’t include in your first command the other options you should add them manually to the conf file.

Just in case, backup :smiley:

Good luck,
sahsanu


#3

Bother. sed, here I come…


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.