I'm using this page as a guide:
https://medium.com/chris-opperwall/using-acme-client-for-letsencrypt-on-freebsd-db0ee643ef1f
I have some confusion between the files
/usr/local/etc/acme/acme-client.sh
and
/usr/local/etc/periodic/weekly/000.acme-client.sh
From the webpage:
The second is to add this script to the /usr/local/etc/periodic/weekly directory.
The Script
There is already a sample script included when you install this package added by the wonderful port maintainer. It works pretty well, but with the configuration we did with nginx and acme-client, we can forego some of the complexity.
Here’s is the script that I use:
#!/bin/sh -e
BASEDIR="/usr/local/etc/acme"
SSLDIR="/usr/local/etc/ssl/acme"
DOMAINSFILE="${BASEDIR}/domains.txt"
ACME_FLAGS="-v -e -m -b -n -N"
cat "${DOMAINSFILE}" | while read domain line ; do
set +e # RC=2 when time to expire > 30 days
acme-client ${ACME_FLAGS} ${domain} ${line}
RC=$?
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done
However this script is basically
/usr/local/etc/acme/acme-client.sh
which is not
/usr/local/etc/periodic/weekly/
Then later in the webpage
The Weekly Run
It’s not too bad to run this manually every couple of weeks, but it’s better to let the machine do the work for you. This can be automated by adding a script to the /usr/local/etc/periodic/weekly. The maintainers have included another awesome sample file here called 000.acme-client.sh. You don’t actually need to edit anything in this file, it’s good as is.
Now running
/usr/local/etc/acme/acme-client.sh
acme-client: /usr/local/etc/acme/lazygranch.site/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/lazygranch.site/privkey.pem: domain key exists (not creating)
acme-client: adding SAN: www.lazygranch.site
acme-client: /usr/local/etc/ssl/acme/lazygranch.site/cert.pem: certificate valid: 86 days left
acme-client: /usr/local/etc/acme/mail.lazygranch.site/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/mail.lazygranch.site/privkey.pem: domain key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/mail.lazygranch.site/cert.pem: certificate valid: 86 days left
Looks ok since I had one successful run.
Now running
/usr/local/etc/periodic/weekly/000.acme-client.sh
with a few "echo" statements tossed in to track the flow:
#!/bin/sh
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
echo "flag 1"
fi
PATH=$PATH:/usr/local/bin:/usr/local/sbin
export PATH
case "$weekly_acme_client_enable" in
[Yy][Ee][Ss])
echo "flag 2"
echo
echo "Checking Let's Encrypt certificate status:"
if [ -x "$weekly_acme_client_renewscript" ] ; then
$weekly_acme_client_renewscript
else
: ${weekly_acme_client_args:="-b"}
echo "flag 3"
if [ -z "$weekly_acme_client_domains" ] ; then
echo "flag 4"
weekly_acme_client_domains=$(hostname -f)
echo "Using hostname: $weekly_acme_client_domains"
fi
if [ -n "$weekly_acme_client_challengedir" ] ; then
echo "flag 5"
weekly_acme_client_args="$weekly_acme_client_args -C $weekly_acme_client_challengedir"
fi
/usr/local/bin/acme-client $weekly_acme_client_args $weekly_acme_client_domains
fi
if [ -n "$weekly_acme_client_deployscript" ] ; then
if [ -x "$weekly_acme_client_deployscript" ] ; then
echo "Deploying Let's Encrypt certificates:"
$weekly_acme_client_deployscript
else
echo 'Skipped, deploy script does not exist or is not executable'
fi
fi
;;
*)
;;
esac
Results:
flag 1
flag 2
Checking Let's Encrypt certificate status:
flag 3
flag 4
Using hostname: peets
flag 5
acme-client: /usr/local/etc/ssl/acme/private/privkey.pem: -k file must exist
acme-client: /usr/local/etc/acme/privkey.pem: -f file must exist
Skipped, deploy script does not exist or is not executable
Seems to me that if
/usr/local/etc/acme/acme-client.sh
was placed in
/usr/local/etc/periodic/weekly/
would do the trick.