tl;dr: How would I tell acme.sh to use webroot rather than standalone on renewal, after having issued the initial cert using standalone?
Background: I’ve put together a script to automate setting up Nextcloud in a jail on FreeNAS. It creates the jail, installs the relevant packages, puts appropriate config files in place, sets up the database, obtains a cert using acme.sh, etc. The apache configuration redirects all HTTP traffic to HTTPS.
Because I don’t want to mess with two separate apache configs, I first obtain the cert using acme.sh in standalone mode, then start apache. But now that apache is running, I don’t want (and shouldn’t need) to stop it to renew the cert. I address this, once apache is running, by doing:
acme.sh --issue -d ${HOST_NAME} -w /usr/local/www/apache24/data -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"
My assumption was that this would run, see that no new cert was needed (since the existing cert is only a few minutes old), but still update account.conf to use webroot rather than standalone. Apparently it doesn’t.
I could, of course, just use --force to force issuance, which would also update account.conf, but that burns two issuances’ worth of rate limits. This could result in problems for users, not to mention it just seems kind of wasteful. Is there a way to do what I’m looking to do through acme.sh directly, or am I going to need to just mess with account.conf itself?
