Adding or editing acme.sh to apply other commands within the cron job builtin

MacEncrypt · September 2, 2020, 5:58am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: N/A
mail.example.com

I ran this command:
acme.sh
It produced this output:
a new certificate in the area it had designated
My web server is (include version):
NA / uses Cloudflare tokenized
The operating system my web server runs on is (include version):
Cloudflare Tokenized
My hosting provider, if applicable, is:
DNS = cloudflare
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
acme.sh version 2.8.7

Guys i setup the cron job to renew the certificate every 3 months and this works well
here is the cron job

18 0 * * * “/Users/username/.acme.sh”/acme.sh --cron --home “/Users/username/.acme.sh” > /dev/null

The issue i have is that the .domain.cer and key that is created /replaced needs to be placed into a directory on another hardware and renamed over ssh and the server service STOPPED whilst this happens … i do the whole thing by creating an executable bash script and run it manually after the crontabed .acme.sh cronjob has run … key word being MANUALLY … is it possible to ammend the existing .acme.sh script itself to do this all in one so i dont have to manually run a second script ? example of the secondary script :
#!/bin/bash

/Users/user/.acme.sh/acme.sh --issue --dns dns_cf -d mail.example.com
/usr/local/server/mailserver/mailserver stop
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.cer root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.crt
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.key root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.key
/usr/local/server/mailserver/mailserver start

Please if anyone can asssist on how to do this in one and using the inbuilt cron job ! And also which script to alter / edit … im not sure from the cron job which script its referencing (expecting the .ame.sh inside the .acme.sh/ directory

_az · September 2, 2020, 6:37am

This is basically the idea in deploy hooks: https://github.com/acmesh-official/acme.sh/wiki/deployhooks

You will want to make your own and call it using acme.sh --deploy -d mail.example.com --deploy-hook <hook name>.

acme.sh will then automatically call it at every renewal.

You can find a template here: https://github.com/acmesh-official/acme.sh/blob/master/deploy/myapi.sh

MacEncrypt · September 2, 2020, 7:57am

Thanks @_az but theres nothing stopping me also just timing the script to run on change less the certificate call so (i dont want to re invent the wheel here) :

/usr/local/server/mailserver/mailserver stop
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.cer root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.crt
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.key root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.key
/usr/local/server/mailserver/mailserver start

9peppe · September 2, 2020, 8:03am

  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
  --cert-file <file>                Path to copy the cert file to after issue/renew..
  --key-file <file>                 Path to copy the key file to after issue/renew.
  --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
  --fullchain-file <file>           Path to copy the fullchain cert file to after issue/renew.
  --reloadcmd <command>             Command to execute after issue/renew to reload the server.

So if the machine on which you run acme.sh has passwordless (key or cert) ssh access to the machine you want to deploy to, you can do this:

acme.sh -i -d $DOMAIN_NAME [--ecc] --reloadcmd "ssh user@otherserver /path/to/script/on/other/server.sh"

of course you also can:

acme.sh -i -d $DOMAIN_NAME [--ecc] --reloadcmd "/path/to/script/on/local/machine.sh"

and use that script to scp and reload

Neilpang · September 3, 2020, 3:42am

why not use ssh deploy hook?

MacEncrypt · September 3, 2020, 4:31am

it seems convoluted and restricted as opposed to running your own script with the a server software you know responds to the script you originally ran ?

9peppe · September 3, 2020, 12:02pm

Because I did’t know of this feature:

export DEPLOY_SSH_REMOTE_CMD=command to execute on remote host

but wait, does acme.sh remember environment variables when renewing, or do I have to set them each time?

Neilpang · September 3, 2020, 1:21pm

does acme.sh remember environment variables when renewing

Yes, of cause

MacEncrypt · September 9, 2020, 4:27am

So for something that normally would run as a standalone script and connects keyless and changes the certificate extension (.cer to .crt) such as :
/usr/local/server/mailserver/mailserver stop
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.cer root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.crt
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.key root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.key
/usr/local/server/mailserver/mailserver start
How can i convert that into your deploy hook ? That is literally the actual script i run above manually …
I cant get my head round the arguments to emulate that using deploy hook, otherwise i would use it 100% !

MacEncrypt · September 9, 2020, 5:33am

Neil would this work for my scenario ? your feedback and time is very appreciated, the remote command is the main issue i struggle with this is on OSX and the service is kerio connect (does not have "restart" command only stop and start) there is also no example be it linux or other on your deployhooks · acmesh-official/acme.sh Wiki · GitHub page

original script currently in use :
/usr/local/server/mailserver/mailserver stop
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.cer
root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.crt
scp /Users/user/.acme.sh/mail.example.com/mail.example.com.key root@192.168.99.4:/usr/local/server/mailserver/sslcert/server3.key
/usr/local/server/mailserver/mailserver start

acme.sh --deploy -d example.com --deploy-hook ssh
export DEPLOY_SSH_USER=root
export DEPLOY_SSH_CMD="ssh -p 22022"
export DEPLOY_SSH_SERVER=“192.168.99.4"
export DEPLOY_SSH_KEYFILE="/usr/local/server/mailserver/sslcert/server3.key"
export DEPLOY_SSH_CERTFILE=/"usr/local/server/mailserver/sslcert/server3.crt"
export DEPLOY_SSH_CAFILE=filename for intermediate CA file
export DEPLOY_SSH_FULLCHAIN=filename for fullchain file
export DEPLOY_SSH_REMOTE_CMD="/usr/local/server/mailserver/mailserver stop sleep 1.5m /usr/local/server/mailserver/mailserver start"
export DEPLOY_SSH_BACKUP="yes"

system · October 9, 2020, 5:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.