Deploying certs

robotchicken · August 5, 2023, 1:05am

I'm using acme.sh and i'm trying to figure out the best way to install certs into a location other than /root/acme.sh upon install AND renewal. I'm trying to use the --renew-hook when using --issue but it doesn't seem to get executed until the renew:

/root/.acme.sh/acme.sh --issue --dns dns_pdns -d bobtest01.internaldomain.com --dns dns_pdns -d bobtest02.internaldomain.com --dns dns_pdns -d bobtest03.internaldomain.com --dnssleep 10 --renew-hook "/root/.acme.sh/acme.sh --install-cert -d bobtest01.zooxlabs.com --cert-file /etc/ssl/certs/bobtest01.internaldomain.com.pem --key-file /etc/ssl/certs/bobtest01.internaldomain.com.key"

When the above command is executed, the cert is issued but left in /root/.acme.sh and when renewed via the crontab("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"), only then will it execute the --renew-hook that is stored in the cert conf file as Le_RenewHook.

I was expecting --renew-hook to run after issue & renew based on this post:

....but I have to assume that has changed based on what i'm seeing.

What is the best way install certs on issue and renew? I'm hoping to be able to execute a single command to set this in motion. TIA

BTW, i'm using an internal CA so i'm not using real domains in my example

MikeMcQ · August 5, 2023, 1:47am

Someone here may offer help but using an internal CA and the acme.sh client I am not sure this Let's Encrypt forum is the best place.

Neil, the acme.sh author, sometimes posts here but you would likely get faster response posting an issue on the github for acme.sh

Rip · August 7, 2023, 12:23am

@robotchicken Are you running acme.sh as a standalone script or is it part of a appliance package? @Neilpang may be willing to help. He is the author of acme.sh (as @MikeMcQ has pointed out)... It has worked for me most of the time.

Also you may want to run a post-script to scp the cert to a folder on the server of choice. I found this especially valuable over time to process certs. It can also be used to create a backup for you in case you need it in the future.

Neilpang · August 7, 2023, 1:49am

please use the --post-hook instead. it will run everytime you "issue" or "renew" a cert.

The "--renew-hook" only runs after a "renew".

system · September 6, 2023, 1:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.