How to know auto renew by acme issued cert by two different server?

My domain is: marvelconnect.com

I ran this command:
port CF_Key=xxxxx
export CF_Email=wilsonkwok@marvelconnect.com

/root/.acme.sh/acme.sh --issue --force -d *.marvelconnect.com -d marvelconnect.com --dns dns_cf
–cert-file /etc/pki/tls/certs/wildcard.marvelconnect.com.pem
–key-file /etc/pki/tls/private/wildcard.marvelconnect.com.pem
–fullchain-file /etc/pki/tls/certs/wildcard.marvelconnect.com-chain.pem
–ca-file /etc/pki/tls/certs/wildcard.marvelconnect.com-ca.pem
–reloadcmd “systemctl reload nginx”

It produced this output:

My web server is (include version): nginx version: nginx/1.16.1

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804 (Core)

My hosting provider, if applicable, is: pachosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme

Hello,

My question is can I run above acme command by two different server, because I want to auto renew with below cronjob

22 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null

For example, run acme command in server A that generated cert for my website SSL, and then run sane command in server B to generated cert to replace same website SSL. So which server will auto renew my cert?

Thanks

1 Like

Command:

There are two questions in your question.

  1. Can that command be successfully run by two separate systems? YES
    Because DNS authentication does not rely on a system IP address.
  2. Will the CRON job successfully renew the certs? IDK

NOTE: The use of --force in a script is very bad practice and should only be done once (for testing).
Please remove that from the command.

1 Like

Hello,

one is production and one is testing, both issued same cert, if testing shutdown, the cert still can auto renew by DNS, right?

About force command, because I cant issue cert, si used that command.

Thanks

1 Like

DNS can always renew.
Remove the --force
You shouldn’t need it.

1 Like

Hello,

[Sun Apr 19 01:46:46 HKT 2020] Domains not changed.
[Sun Apr 19 01:46:46 HKT 2020] Skip, Next renewal time is: Wed Jun 17 17:44:24 UTC 2020
[Sun Apr 19 01:46:46 HKT 2020] Add ‘–force’ to force to renew.

Why would you forcible renew a cert that is not expired?
You will be forcibly issuing a new cert every time you check for renewals (once daily? twice daily?).
That is NOT how it is supposed to work.
It is supposed to check and check and check and only renew when it is close to expiring.

1 Like

Hello,

Sorry, I forgot tell you I am issuing different pem and crt format, what I can do, thanks.

1 Like

You can script those file format/type changes within each renewal using a post validation hook.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.