I have my hosting (Buyshared) and website all setup for SSL using the official Let’s Encrypt app. The SSL issued and installed for my domain (skynode.link) as a wildcard certificate using dns verification.
Now I use my website to connect to my application server which needs the crt and key files to work. The server is set to retrieve those files from a certain folder located in the hosting public_html folder.
The problem is how can I find the currently installed certificate (crt and key) data (- - - BEGIN …) using cli commands so that I can make a script to copy the data and update the designated file which my external reads every week and updates it installed certificates. This script will be running as a crib job so that every time let’s Encrypt app reissues my website certificates, the new crt and key file data is automatically copied and pasted in the secured folder where only my external server can access and retrieve it.
My domain name is: skynode.link
I don’t have root access
I am using thr Let’s Encrypt cPanel Plugin to issue and renew the wildcard SSL
Background Working Principle
The external server is a mikrotik cloud host router. so what I do is that i have DNS entries to my hosting pointing to this Mikrotik Server. example cloud,skynode.link:4528 and this mikrotik must use the ssl for the domain cloud.skynode.link (which in my case is *.skynode.link) so since lets encrypt app issues this ssl, i need to extract the crt and key file (the latest one) and put it in a secure folder may b “~/chr/lets_encrypt” with a constant name like “skynode.crt and skynode.key” and then Mikrotik server can connect to that folder using FTP and retrieve those files to install in iteself.
You can find the certificate and private key file in the cPanel TLS/SSL Manager, as with any SSL certificate that is installed to your cPanel account. You can use the standard cPanel UAPI CLI tool to dump the installed certificates, check the cPanel docs for that.
You can also find a copy of the current Let’s Encrypt certificates in use by your account in a JSON file located at $HOME/.cpanel/nvdata/letsencrypt-cpanel.
Thanks for the information. I am kind of a noob here in web hosting elements. Currently i use this script to retrieve the files and upload it to the other server. but this only gets the latest modified files from the SSL/certs or SSL/keys file which leaves the possibility to get mismatched files
if [ -d "$DIR" ]; then
echo "Directory EXISTS"
if [ "$(ls -A $DIR)" ]
then
echo "Directory is NOT EMPTY. Cleaning Directory"
rm -r $DIR/*
echo "Directory is NOW EMPTY"
else
echo "Directory is EMPTY"
fi
else
echo "Directory does NOT EXIST"
mkdir -p $DIR
echo "Directory has been CREATED"
if [ "$(ls -A $DIR)" ]
then
echo "Directory is NOT EMPTY. Cleaning Directory"
rm -r $DIR/*
echo "Directory is NOW EMPTY"
else
echo "Directory is EMPTY"
fi
fi
if [ -z "$FILE_crt" ]
then
echo "Latest CRT File Variable is EMPTY"
else
echo "Latest CRT File: "$FILE_crt
cp $FILE_crt $DIR/skynode_link.crt
chmod 644 $DIR/skynode_link.crt
fi
if [ -z "$FILE_key" ]
then
echo "Latest KEY File Variable is EMPTY"
else
echo "Latest KEY File: "$FILE_key
cp $FILE_key $DIR/skynode_link.key
chmod 644 $DIR/skynode_link.key
fi
Is there anyway to get the exact crt and key file dir in the variable FILE_crt and FILE_key (variables in the above custom script) of the SSL which is currently installed or renewed?
Mebbe try this instead of your shell script (configure the two variables at the top).
copy-wildcard.py:
#!/usr/bin/env python
####
# Configure here
VHOST = 'my.cpanel.domain.example.org'
DESTINATION = '/home/user/mikrotik_upload'
####
from os.path import expanduser, join
import json
import sys
nvdata = None
with open('{}/.cpanel/nvdata/letsencrypt-cpanel'.format(expanduser('~'))) as file:
nvdata = json.loads(file.read())
if not VHOST in nvdata['certs']:
print 'No certificate data present for {}'.format(VHOST)
sys.exit(1)
vhost_data = nvdata['certs'][VHOST]
# Write the private key to destination
with open(join(DESTINATION, 'privkey.pem'), 'w') as f:
f.write(vhost_data['key'])
print 'Saved private key to {}'.format(DESTINATION)
# Write the certificate + cabundle to destination
with open(join(DESTINATION, 'fullchain.pem'), 'w') as f:
f.write(vhost_data['cert'] + vhost_data['issuer'])
print 'Saved certificate to {}'.format(DESTINATION)
$ chmod +x copy-wildcard.py
$ ./copy-wildcard.py
Saved private key to /home/user/mikrotik_upload
Saved certificate to /home/user/mikrotik_upload
$ ls /home/user/mikrotik_upload
fullchain.pem privkey.pem
BTW, I highly recommend not copying your private key into your web root. Quick road to compromise.
Thank you very much. I will change the store path to a root DIR instead of a public path. One more thing the saved chain and key are in pem format. My external server can only read .crt file (the certificate) and .key file (the key for the certificate). it cannot decipher the pem files.
Thank you very much for the information. My oldest i,e 1st out of all 5 certs was issued on Monday… Also is the 7-day rolling rate limit time sensitive?