search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.63k stars 4.91k forks source link

Missing documentation for renew configuraton #1473

Open bmaehr opened 6 years ago

bmaehr commented 6 years ago

Thank you for the great tool acme.sh.

I was first using certbot to issue certificates and found out, that it has many flaws with security (e.g. needs access to private keys, modifying webserver) and is very poor to configure to the own needs (e.g. where to write certs). I found out, that acme.sh is much better.

But after switching to acme.sh I needed to configure the renewal of my already issued certificates. Unfortunatly there was no information how to do this. By doing some reverse engeneering I was able to create a working configuration. I just add my script creating the configuration for one host here, perhaps it helpful for someone.

#!/bin/bash

## Variable for the host
HOST=$1

## Create acme.sh dir
mkdir /home/acme/.acme.sh/${HOST}

## Create link to csr
ln -s /etc/ssl/generated/host/${HOST}.csr /home/acme/.acme.sh/${HOST}/${HOST}.csr

## Create acme.sh renewal config file
cat  << EOF  > /home/acme/.acme.sh/${HOST}/${HOST}.conf
Le_Domain='${HOST}'
Le_Alt='no'
Le_Webroot='dns_nsupdate'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v01.api.letsencrypt.org/directory'
Le_Keylength=''
Le_CertCreateTime='1464704297'
Le_CertCreateTimeStr='Tue May 31 14:18:17 UTC 2016'
Le_NextRenewTimeStr='Tue May 31 14:18:17 UTC 2016'
Le_NextRenewTime='1464704297'
Le_LinkIssuer='https://acme-v01.api.letsencrypt.org/acme/issuer-cert'
Le_RealKeyPath=''
Le_RealCertPath='/etc/ssl/certs/${HOST}.crt'
Le_RealCACertPath='/etc/ssl/certs/letsencrypt.crt'
Le_RealFullChainPath='/etc/ssl/certs/${HOST}.withpath.crt'
Le_ReloadCmd=''

EOF

Additionally with the parameter DEFAULT_DNS_SLEEP you can decrease the waiting time of 120 s to 5 s.

FernandoMiguel commented 6 years ago

Don't link to the cert folder as that is in internal path and might change in the future. Instead use either --installcert or key path options.

DNS sleep depends a lot on the DNS provider. For instance, AWS route53 won't work with less than 60 seconds

baoang commented 6 years ago

猜这意思是说如何把已有的证书导入进acme.sh中,然后让它接管证书的更新?

samurous commented 4 years ago

Dokumentation on how to edit existing configs is really something I miss.

E.g. I wanted to change the reload command only to find out, that it was replaced by a base64 encoded format (see #2444) which left me thinking if it is save to just override it without breaking the renewal. 🤔