Create multiple deploy destinations with acme.sh for Wildcard cert

Aloha,
Im a newbie to Letsencrypt and acme.sh
I could success request a wildcard cert with the acme.sh script
and also deeply it to one Synology NAS with the Synology deploy hook.
But as it is a wildcard cert, I need to deploy it to multiple different services.
For example I have 2 different Synology NAS (with different IP/hostnames and credentials of course) also linux host, UniFi-Controller and NGINX to name some.

But I dont understand, how I could only request in a regular interval my cert from Letsencrypt with acme.sh and deploy it to different services then.

Sorry for my dumb question, but my googling so far, didn't bring any light.

Thanks for any help!

Cheers
Marcel

Hi @skynw, and welcome to the LE community forum

Usually, the hardest part is getting the cert [especially wildcard certs].
If you've managed to do that, the rest should be much easier.

That said, you are talking about several different types of systems...

The first thing you need is: A plan.
That plan should detail what you have, what you need, and the steps you need to take to get what you need.

Here is my rough "10 step" sketch of such "a plan":

• what you have: a wildcard cert
• what you need: a centralized "cert management system" [so all devices obtain the same new cert]
• steps to take:

1. create script to copy newly obtained cert/key to a central repository
2. create scripts for each device [type] to download the latest cert/key [from repository]
3. automate scripts [via cron or systemd timers]
4. test
5. test
6. test
7. verify
8. verify
9. verify
10. fix anything that fails to meet your needs [repeat/review all steps until there is nothing left to fix]

Cheers from Miami

Aloha
Thanks for your kind words.
You are right.
So I installed acme.sh
I can do an issue with acme to create my wildcard cert!
acme.sh --issue --dns dns_cf -d '*.schwarzwald.ua' --server letsencrypt

So thats good!

But
here comes the but,
when I try to deploy to my first Synology NAS<
I have some questions:

1. why is the file:

~/mycerts/data/.schwarzwald.ua_ecc/.schwarzwald.ua.conf

Le_DeployHook='synology_dsm,'
SAVED_SYNO_Scheme='https'
SAVED_SYNO_Hostname='horst1.schwarzwald.ua'
SAVED_SYNO_Port='5001'
SAVED_SYNO_Username='user1'
SAVED_SYNO_Password='1234'
SAVED_SYNO_Device_Name='CertRenewal'
SAVED_SYNO_Device_ID='xyz'
SAVED_SYNO_Certificate=''

populated with config information from my deploy hook?

IMHO it doesn't make sense?
I would assume in the domain config I will have the configuration for that device I want to deploy?

So for the first run, I set all needed environmental variables for the Syno Deployment and try to run it like this:

acme.sh --deploy --deploy-hook synology_dsm -d *.schwarzwald.ua --insecure --accountconf data/horst1/horst1.conf

I was assuming and hoping that the switch --acountconf will put all needed data into a separated file.
Now I have for my first successful deploy (Thanks by the way to the developer of acme)
all deployment data in my certificate data file.
That doesn't sound right to me.

Thanks
Marcel

If no one here suggests something you should try the github for acme.sh.

Oh, thanks good idea!

I wrote there also.
To summarise:

I need to run the same deploy hook for multiple destinations, but when I run it the 2. time acme deploys it on the same destination as before
When I run acme to deploy my wildcard cert, the config data for my deployment is written into the domain config file.
Which makes it impossible to run it to a different target,

Steps to reproduce

1. run works:
   acme.sh --deploy --deploy-hook synology_dsm -d *.schwarzwald.ua --accountconf data/horst1.conf
   But now the data from Synology deploy hook is written into my domain config:

data/*.schwarzwald.ua_ecc/'*.schwarzwald.ua.conf'

So when I run the same deploy hook with different accountconf it fails:

acme.sh --deploy --deploy-hook synology_dsm -d *.schwarzwald.ua --accountconf data/horst2.conf

Only after I delete the deployment hooks config from the domain file it works

But then of course the data from horst2.conf deploy hook is written into the domain file
*.schwarzwald.ua.conf

and the following run to another target fails again, until the data is deleted again

Any idea, how to do this in a correct way?

Cheers
Marcel

to be fair I don't understand all your twists and turns

But, can't your deploy hook be "totalHook.sh" which has all the steps you need in the way you want them?

Then acme.sh runs that and your totalHook handles the rest. Copy the cert files, restart services, run remote programs, setup auth and whatever else you need.

Further, you generally renew certs with 30 days remaining before expiry. So, you don't need to do that in the deploy_hook although that is effective. You could just run some totalHook every day or maybe every week to copy the latest cert to where you need.

Ah,
sorry, for my stupid explanation.

As acme.sh exist already and has the deploy hooks for various platforms available, I was hoping to just use acme.sh for renewing the cert and also deploying it.

Ah, I see. You know, all the deploy scripts are in the github. And, note nginx and apache are just stubs that don't do anything. At least these would give you a start on customizing your own "everything" deploy if you have to go that route.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.