acme.sh is an excellent Let's Encrypt client, however, the documentation for it is rather sparse and does not do it justice.
I have a working VPN connection between two FRITZ!Box networks. The FRITZ!Box on the local network has an FQDN of fritzbox-l.udance.com.au and an IP address 10.1.1.1. The FRITZ!Box on the remote network has an FQDN of fritzbox-r.udance.com.au and an IP address of 10.1.2.1.
I happened to stumble across an acme.sh deploy hook that will allow me to deploy a cert to a FRITZ!Box router. I have it working. It works a treat.
I have an acme.sh server that is responsible for deploying certs to various devices. It runs in a FreeNAS jail.
# acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8
# freebsd-version
12.2-RC3
The local and remote FRITZ!Boxes are visible to this server. I'd like to use the server to deploy certs to both FRITZ!Boxes. However, I'm not sure if this is possible?
The documentation at deploy a cert to a FRITZ!Box router indicates that environmental variables for the deploy hook are stored in $HOME/.acme.sh/account.conf
. However, it appears that only one router can be accommodated.
Cloudflare is my DNS provider. The steps to issue and deploy a cert to the local FRITZ!Box router:
# Issue cert
acme.sh --issue --dns dns_cf -d fritzbox-l.udance.com.au
# Deploy cert
setenv DEPLOY_FRITZBOX_USERNAME "basil"
setenv DEPLOY_FRITZBOX_PASSWORD "alakazam"
setenv DEPLOY_FRITZBOX_URL "https://fritzbox-l.udance.com.au"
acme.sh --deploy -d fritzbox-l.udance.com.au --deploy-hook fritzbox
This is what's written to account.conf:
DEPLOY_FRITZBOX_USERNAME='basil'
DEPLOY_FRITZBOX_PASSWORD='alakazam'
DEPLOY_FRITZBOX_URL='https://fritzbox-l.udance.com.au'
I'm assuming that the acme.sh cron job, that's automatically installed during acme.sh installation, takes care of renewing and redeploying the cert every 60 days.
24 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/config" > /dev/null
What's not clear though is how I accommodate a second router, if it is at all possible? For instance, using the --accountconf
switch, can I use a second conf file to store the credentials for the second router? If so, what might the issue and deploy commands look like for the second router? Will auto-renewal of the cert for the second router still work? These were questions I had hoped to find answers for in the acme.sh wiki, but I haven't come across anything useful. I'm hoping there are forum members, who are more familiar with acme.sh than I am, who can shed some light on what I'm grappling with.