How to add a domain to an existing set of certs using acme.sh?

Every minute?

This job runs every minute?:

I don’t see how that could do anything to copy/import new certs to cPanel.

Double checking. That does seem crazy. Must be every day…

…Once per day. Confirmed.

1 Like

Well, it wasn’t my idea, and now that you mention it, the last time and perhaps every time, it comes time for it to do it’s thing, there’s some reason why it doesn’t achieve it, and I end up doing an acme.sh --renew-all

The closest thing I can find is:

/root/.acme.sh/acme.sh --deploy
Usage: acme.sh --deploy --domain <domain.tld> --deploy-hook <hookname> [--ecc]

But that would require you to have created the “hook” and called acme.sh with the --deploy parameter [somewhere in a cron job or systemd timer]

That doesn’t explain HOW cPanel gets the new certs [if from acme.sh].

Here’s the acme.sh file renamed acme.txt for the upload.

acme.txt (192.6 KB)

That seems default version 2.8.6.
And contains:

#domain hooks
deploy() {
  _d="$1"
  _hooks="$2"
  _isEcc="$3"
  if [ -z "$_hooks" ]; then
    _usage "Usage: $PROJECT_ENTRY --deploy -d domain.com --deploy-hook cpanel [--ecc] "
    return 1
  fi

Which may be the HOW to get this done.

I have version 2.8.8 and it doesn’t contain that section :frowning:

This is just wild guessing here but how about trying:
./acme.sh --renew-all --deploy-hook cpanel
[naturally that would have to need to renew - wait for next renewal time]

OK then let’s speed things up a bit… (forcefully to just one domain):
./acme.sh --renew born2.run --deploy-hook cpanel -f

1 Like

Curious – before doing that – should it not be --renew trillionpictures.com?

Any domain will do (for this test) - use that one instead then.

Please show the output of:
grep -ERi 'posthook|renewhook' ~/.acme.sh/

First of all, apologies for the delay. But IT WORKED!!!

so…

This is just wild guessing here but how about trying:

Seems like informed-intuition to me.

Stand by for grep

OMG ! ! !
You can’t update that acme.sh client [keep a copy of the file somewhere else - as a backup]

1 Like
_savedomainconf "Le_ **PostHook** " "$_post_hook" "base64"

_savedomainconf "Le_ **RenewHook** " "$_renew_hook" "base64"

Le_ **PostHook** ="$(_readdomainconf Le_ **PostHook** )"

Le_ **RenewHook** ="$(_readdomainconf Le_ **RenewHook** )"

issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_ **PostHook** " "$Le_ **RenewHook** " "$Le_LocalAddress" "$Le_ChallengeAlias"

Well grep is empty :frowning:
But the other seems promising…
Can you see the newly reissued cert in cPanel?

You can’t update that acme.sh client [keep a copy of the file somewhere else - as a backup]

Done! I save these pages as well.

So what does –deploy-hook cpanel -f do?
Presumably there’s something baked into the acme.sh library that knows how to talk sweetly to cpanel?

--deploy-hook cpanel
Seems to tell acme.sh to look for cPanel and integrate this cert there.
[only on deployment - which means renewals in this case]

-f is just a “force” to renew the cert evern thou it isn’t yet due for renewal
[don’t add -f that to any script]

Can you see the newly reissued cert in cPanel?

Yes, absolutely.
To be clear, though, you could always “see” the problem domain (starsandstrife.com) in cPanel (under " Manage Installed SSL Websites" > FQDNs (there’s a long list). In that list was the problem domain.

But below in cPanel where you “Browse Certificates” and choose the main domain and then “Autofill by Domain” – that was the moment of failure: the “problem domain” didn’t appear, and indeed when going to that domain in a web browser the certificate failed.

That’s what you’re “guess” (i.e. ./acme.sh --renew [main.domain] --deploy-hook cpanel -f) fixed

Genius, batman. You deserve a cape.

1 Like

Seems to tell acme.sh to look for cPanel and integrate this cert there.
[only on deployment - which means renewals in this case]

Also, it would seem for the cron job to work it would need to be updated to match your command, minus the -f

In any event, running acme.sh, if this finally works reliably every three months, is easy enough, I don’t need a cron for it.

No, I don’t think so.

Retry the last grep search again.

The last riddle unfolds itself…