How to add a domain to an existing set of certs using acme.sh?

Progress!
find / -name certs
gives
~/ssl/certs

OK what all is in that folder?

A whole lot of certs going way back.

Sounds like globally trusted certs - not certs issued locally
Do you recognize any of the file names as being domains served locally?

Also, try sorting the list by date (with -t)

I recognize all the names – all are (or were) domains / subdomains used on this hosting provider / account
None are 3rd party come-with type certs.

OK HOPE !

Are the files types readable?
cat {some of the filenames}

Do they start with something like?:
-----BEGIN CERTIFICATE-----
or
-----BEGIN PRIVATE KEY-----

[.pem format]

There are two file types only:
.crt
.cache
They are all readable

Do the .crt files include both sections?:

-----BEGIN CERTIFICATE-----
gibberish
gibberish
gibberish
-----END CERTIFICATE-----

AND

-----BEGIN PRIVATE KEY-----
gibberish
gibberish
gibberish
-----END PRIVATE KEY-----

OR
Only one of the sections?

[simple YES or NO will do - don’t post any of the file contents here]

They are all certificate-only files.
There’s another folder that contains the keys.

You probably only need to copy the corresponding files from the acme.sh folder to these two folders.
To make them available to cPanel.

Your “how to doc” is missing a page - LOL

Or there is a missing cron job (not yet shown)…

Try:
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

[which will show all the cron jobs for all the users - run as root]

If you feel like posting the relevant output, you can remove all the lines that start with “no crontab for” and also change the names to protect the innocent/and guilty too :slight_smile:

You probably only need to copy the corresponding files from the acme.sh

Well, that didn’t do it so far.

cPanel doesn’t use the certs directly from the acme.sh folder

I’m seeing certs from today in ~/ssl sub-directories.
It seems acme.sh does generate the certs and puts them into the appropriate sub-directories of ~/ssl/

Or there is a missing cron job (not yet shown)…

Just the one, listed a bunch of times (listed a bunch of times as a result of the for / do loop)

Then that modified output directory would have to of been declared when the cert was requested (and issued).

Let me ask the obvious questions:

  1. Are there any other admins that may have worked on this “cert integration” procedure?
  2. Do you have any notes on “how to” issue a new cert in that system?
  3. Can you search the root (user) history for clues…?
    history | grep acme | grep issue

So multiple individual users are running that same cron job?
[that seems repetitively redundant]

  • There are no other admins
  • How to notes: Yes. A history of them going back to certbot. It seems to evolve every 3 months as I update the certs. Never nailed it down. The closest I ever got was after switching to acme.sh and turning on the cron job and praying it would just work.
  • Can’t search root. It’s a shared hosting account.

Then you are at the mercy of the admin and the panel.

The cron job seems to only renew the certs (and maybe update acme.sh - itself).
How your certs in the default acme.sh folders ever got into cPanel is still a mystery.
I’m starting to think they never did.

Most likely: Some one / some where created a script to issue certs for that entire system and import them into cPanel.
[completely outside your control]

I’m starting to think they never did.

They did. The dates of the files in the ~/ssl folder are the giveaway.
AND the renewal process via cron job did work.

Some one / some where created a script to issue certs for that entire system and import them into cPanel

I don’t think so.

Riddle me this batman?:

The first name on the list “born2.run” also shows a cert that you did not issue:

Your cert shows:
born2.run
Wed Sep 16 23:57:51 UTC 2020
Sun Nov 15 23:57:51 UTC 2020