Can deploy certs to more than one FRITZ!Box router? is an excellent Let's Encrypt client, however, the documentation for it is rather sparse and does not do it justice.

I have a working VPN connection between two FRITZ!Box networks. The FRITZ!Box on the local network has an FQDN of and an IP address The FRITZ!Box on the remote network has an FQDN of and an IP address of

I happened to stumble across an deploy hook that will allow me to deploy a cert to a FRITZ!Box router. I have it working. It works a treat.

I have an server that is responsible for deploying certs to various devices. It runs in a FreeNAS jail.

# --version
# freebsd-version

The local and remote FRITZ!Boxes are visible to this server. I'd like to use the server to deploy certs to both FRITZ!Boxes. However, I'm not sure if this is possible?

The documentation at deploy a cert to a FRITZ!Box router indicates that environmental variables for the deploy hook are stored in $HOME/ However, it appears that only one router can be accommodated.

Cloudflare is my DNS provider. The steps to issue and deploy a cert to the local FRITZ!Box router:

# Issue cert --issue --dns dns_cf -d
# Deploy cert
setenv DEPLOY_FRITZBOX_URL "" --deploy -d --deploy-hook fritzbox

This is what's written to account.conf:


I'm assuming that the cron job, that's automatically installed during installation, takes care of renewing and redeploying the cert every 60 days.

24 0 * * * "/root/"/ --cron --home "/root/" --config-home "/config" > /dev/null

What's not clear though is how I accommodate a second router, if it is at all possible? For instance, using the --accountconf switch, can I use a second conf file to store the credentials for the second router? If so, what might the issue and deploy commands look like for the second router? Will auto-renewal of the cert for the second router still work? These were questions I had hoped to find answers for in the wiki, but I haven't come across anything useful. I'm hoping there are forum members, who are more familiar with than I am, who can shed some light on what I'm grappling with.

1 Like

Hi @basilhendroff

I don't use (and I have only one FritzBox, the included certificate is enough).

But checking that documentation your conclusion may be incomplete.

After the first deployment, these values will be stored in your $HOME/ You may now deploy the certificate like this: --deploy -d --deploy-hook fritzbox

says: Export the variables of your first FritzBox, deploy it, export the variables of your second FritzBox, deploy it.

The account.conf may have only one set of account informations. But you can overwrite that with the next set of account informations.

Or check if you can create two different account.conf - files.


Not sure if there is "proper" way, however when i wanted to deploy my certificates on extra linux box (i assume fritzbox is runing somekind of linux/unix) i created this bash script, it uses scp (so you need to have ssh + correct key for autologin).

#function upload_cert {
#       MAX_RETRIES=6
#       i=0
#       while ! $(scp -rq /etc/acme-sh/ > /dev/null 2>&1); do
#               i=$(($i+1))
#               if [ $i -eq $MAX_RETRIES ]; then
#                       mail -s "RSA certificate updated, ERROR with uploading to host!" < /dev/null > /dev/null 2>&1
#                       return 1
#               fi
#               sleep 1800
#       done
#       ssh /root/scripts/run_on_rsa_cert_renew
#upload_cert &

this is a snippet from a larger reload script, what it does is it uses scp to upload local acme-sh/ folder to remote location, if it fails it trys for 3hours (6 trys every 30min), if it fails you get a mail, otherwise it executes script on remote host to restart services


Yes, but you will need to use --accountconf parameter everytime to --issue a new cert and then --deploy it again. all the variables are stored in the new account conf file.

And, the default cronjob is only able to process default account conf.

you will need to add a new cronjob with the --accountconf parameter, like:

24 0 * * * "/root/"/ --cron --home "/root/" --config-home "/config"  --account-conf "/path/to/new/account.conf"  > /dev/null

It will be easier to create a new user, like useradd acme2, and then install as user acme2, and issue/deploy it there.


Thank you for the clarification @Neilpang. I'll set up another server on the second subnet to achieve this. Thank you to everyone else who contributed ideas as well.

A tip for other FreeBSD users wanting to use the FRITZ!Box deploy hook: The FreeBSD equivalent of md5sum is md5 (more info here). deploy/ needs to be tweaked slightly sed -i '' "s|md5sum|md5|g" ~/ for it to run successfully on FreeBSD and FreeBSD embedded systems such as FreeNAS.


@Neilpang Will an upgrade to overwrite any modifications made to deploy hooks (such as in the previous post)? If so, then I should avoid auto-upgrading.


I would recommend you enable auto-upgrading, since there may be bug fixings.

you can copy the deploy hook file and rename to your own name.


The tweak is no longer necessary. The deploy hook now works on FreeBSD without modification. Refer to this recent commit remove dependency to md5 and awk