FreeBSD acme-client.sh versus 000.acme-client.sh

I’m using this page as a guide:
https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f

I have some confusion between the files
/usr/local/etc/acme/acme-client.sh
and
/usr/local/etc/periodic/weekly/000.acme-client.sh

From the webpage:

The second is to add this script to the /usr/local/etc/periodic/weekly directory.
The Script
There is already a sample script included when you install this package added by the wonderful port maintainer. It works pretty well, but with the configuration we did with nginx and acme-client, we can forego some of the complexity.
Here’s is the script that I use:
#!/bin/sh -e
BASEDIR="/usr/local/etc/acme"
SSLDIR="/usr/local/etc/ssl/acme"
DOMAINSFILE="${BASEDIR}/domains.txt"
ACME_FLAGS="-v -e -m -b -n -N"
cat “${DOMAINSFILE}” | while read domain line ; do
set +e # RC=2 when time to expire > 30 days
acme-client ${ACME_FLAGS} ${domain} ${line}
RC=$?
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done

However this script is basically
/usr/local/etc/acme/acme-client.sh
which is not
/usr/local/etc/periodic/weekly/

Then later in the webpage

The Weekly Run
It’s not too bad to run this manually every couple of weeks, but it’s better to let the machine do the work for you. This can be automated by adding a script to the /usr/local/etc/periodic/weekly. The maintainers have included another awesome sample file here called 000.acme-client.sh. You don’t actually need to edit anything in this file, it’s good as is.

Now running
/usr/local/etc/acme/acme-client.sh

acme-client: /usr/local/etc/acme/lazygranch.site/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/lazygranch.site/privkey.pem: domain key exists (not creating)
acme-client: adding SAN: www.lazygranch.site
acme-client: /usr/local/etc/ssl/acme/lazygranch.site/cert.pem: certificate valid: 86 days left
acme-client: /usr/local/etc/acme/mail.lazygranch.site/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/mail.lazygranch.site/privkey.pem: domain key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/mail.lazygranch.site/cert.pem: certificate valid: 86 days left

Looks ok since I had one successful run.

Now running
/usr/local/etc/periodic/weekly/000.acme-client.sh
with a few “echo” statements tossed in to track the flow:

#!/bin/sh

if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
    echo "flag 1"
fi

PATH=$PATH:/usr/local/bin:/usr/local/sbin
export PATH

case "$weekly_acme_client_enable" in
    [Yy][Ee][Ss])
        echo "flag 2"
        echo
        echo "Checking Let's Encrypt certificate status:"

        if [ -x "$weekly_acme_client_renewscript" ] ; then
                $weekly_acme_client_renewscript
        else
                : ${weekly_acme_client_args:="-b"}
                echo "flag 3"
                if [ -z "$weekly_acme_client_domains" ] ; then
echo "flag 4"
                        weekly_acme_client_domains=$(hostname -f)
                        echo "Using hostname: $weekly_acme_client_domains"
                fi
                if [ -n "$weekly_acme_client_challengedir" ] ; then
echo "flag 5"
                        weekly_acme_client_args="$weekly_acme_client_args -C $weekly_acme_client_challengedir"
                fi
                /usr/local/bin/acme-client $weekly_acme_client_args $weekly_acme_client_domains
        fi

        if [ -n "$weekly_acme_client_deployscript" ] ; then
                if [ -x "$weekly_acme_client_deployscript" ] ; then
                        echo "Deploying Let's Encrypt certificates:"
                        $weekly_acme_client_deployscript
                else
                        echo 'Skipped, deploy script does not exist or is not executable'
                fi
        fi
        ;;
    *)
        ;;
esac

Results:

flag 1
flag 2

Checking Let’s Encrypt certificate status:
flag 3
flag 4
Using hostname: peets
flag 5
acme-client: /usr/local/etc/ssl/acme/private/privkey.pem: -k file must exist
acme-client: /usr/local/etc/acme/privkey.pem: -f file must exist
Skipped, deploy script does not exist or is not executable

Seems to me that if
/usr/local/etc/acme/acme-client.sh
was placed in
/usr/local/etc/periodic/weekly/
would do the trick.

see freebsd plugin: https://www.freshports.org/security/acme.sh

I got a message in my email from Seth Schoen which didn’t show up here. He said daily requests are suggested.

How does this sound. Since /usr/local/etc/acme/acme-client.sh seems to do the job, why not just make that a daily chron job and call it a day. That is skip the week 000.acme script.

Let is more.

My reply was in a different thread on this forum, but it’s public:

Before this expires, are you OK with the daily cron on the /usr/local/etc/acme/acme-client.sh. It seems to work, but I haven't reached renewal yet which is the acid test.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.