Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NOT USED - USING Operating System
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Neil PANG ACME.sh version 2.8.7
My Issue isn't running the renewal for the certs (that funtions perfectly well) its the actual cronning of the job on the particular platform / service.
The scenario is that in order to have the cert installed two things need to happen - the .cer needs renaming to .crt the service gracefuly stopped and the keys copied (renaming extension) into a particular directory on the same server ...then service restarted again, the service does not need to stop and start when using a browser to install the certificates - Not great for automation.
Current script i have is : /Users/localname/.acme.sh/acme.sh --issue --dns dns_cf -d mail.example.com -d autodiscover.exmaple.com
/usr/mailhost stop
cp /path/to/.acme.sh/mail.example.com.cer /usr/local/mailhost/ssl/mail.example.crt
cp /path/to/.acme.sh/mail.example.com.key /usr/local/mailhost/ssl/mail.example.key
/usr/mailhost start
I do this manually before renewal is due .....
How often could the cron run without tripping an "excessive call" condition ?
Or is there the same type of thing that can be done within acme more elegantly?
Bc the setup really isnt checking if the cert has changed its just copying each time.I'd love to know a cleaner method that isn't "whack a mole" setup.
acme.sh includes an --install-cert command which does pretty much this.
Have a look at this part of the acme.sh README. You will notice that it allows you to specify a destination path for the files and an optional hook to restart a nominated service.
--install-cert is the companion to --issue: you're meant to use them together. The --install-cert part will be invoked upon every certificate renewal.
Your acme.sh cronjob should be acme.sh --cron. If you look in crontab -l (at least, on Linux), it should already be there.
This command could run every minute and it would be safe. It will only actually renew certificates (and therefore the --install-cert) when they need to be renewed.
Thanks _az I have the acme cron running (appears every 15 mins) but my own root cron now set to run once a day for the whackamole approach lol, the commands must be run as root on the mailserver so local standard user cron wont cut it and so im pinned in a ugly double cron setup.
...and, more relevantly, --reloadcmd. OP, it's simple--use the --install command, specify the desired paths for the cert files, and use --reloadcmd (whatever you'd use to restart the service).
There is something i found called "--renew-hook" in v 2.8.9 if i edit the existing crontab for .acme and replace with my existing root crontab commands would that work ? as --reloadcmd does not work with my mailhost it isnt apache or nginx...
Then you should say that in the form.
Saying "example.com" is very misleading; as with any real domain that you don't actually own.
And you would be surprised how many times that domain is actually used in a command line.
[and then they wonder why is doesn't work in their lab]
And you completely ignored or missed the bottom half of my post:
Keep in mind that you can't specify any command or script to --deploy-hook, the hook must exist and this hook must follow the acme.sh rules. There are a few ones inside deploy dir but most of them do nothing... yet.
In this case, as @_az suggested, I think it is better the --install-cert approach to copy the certs to the right paths and to launch the required commands using --reloadcmd
As stated in the subject the issue stemmed with cron not the cert or domain i could have written idontownthisdomain.com but i think we're all adults here.
Thanks for the option of --deploy-hook.
You do realize that is also in a real domain name format - although the domain name appears to be unregistered (at the moment). [ domain name not relevant ]
Would have been more appropriate.
This has nothing to do with age.
But then it would be contradictory:
"I bought the domain: IdontOwnThisDomain.com So now I own it!"
But then wouldn't you have to change the name or wouldn't that be false advertisement?
LOL