Currently using certbot in production would like to use acme.sh

[pnelsonsr]

Currently using certbot in production and this works, but the process is manual. Have researched acme.sh and it seems to be what we need for a gandi liveDNS API approach. I've got acme.sh installed from a git clone and I have my gandi LiveDNS API key. So I am ready to go. I just have a few questions before going forward as this would be for production and I'm just being cautious.

1. If I --test this out will it mess with my current certbot environment? I'd like to test it first just to make sure the API works correctly.
2. I still have 70 days left on my production certbot certs, so (if --test is successful) can I do the acme.sh pull now or should I wait?
3. I'd be running the acme.sh on a different server than the one hosting my SaaS, is this a problem or is there anything else I should be considering?

[MAGICCC]

1.) No, you won't mess up anything, except you hit the ratelimit with LE when you do too much tests with the API, but then you won't get new certs and your old ones will still work 2.) Since you will get new certs you can still use your old ones with certbot or change to the new ones. 3.) You should use acme.sh --install-cert to install the certs somewhere (which is just copying it to another location) and then either use some deploy script or your webserver config reads the certs from said folder.

[pnelsonsr]

@MAGICCC thanks. How do you control the location of the --install-cert option?

[MAGICCC]

Since I use acme.sh on my webserver I use following command line mkdir -p /root/acme-certs/example.org && acme.sh --install-cert -d example.org --key-file /root/acme-certs/example.org/privkey.pem --fullchain-file /root/acme-certs/example.org/fullchain.pem --ca-file /root/acme-certs/example.org/chain.pem --reloadcmd "service nginx force-reload" After the first successful certificate request it will create a config with the paths

[pnelsonsr]

OK I think I'm ready to try this out. Although I'm going to use dns-api with acme.sh do you see anything else I would include? I have acme.sh installed and ready. I didn't install the cron job yet. But here is what I was planning on doing:

export GANDI_LIVEDNS_KEY="<api key here>"
acme.sh --issue --standalone --dns dns_gandi_livedns -d aa.example.com -d bb.example.com --test

then...

export CERT-DIR="<path>/example.com"
acme.sh --install-cert -d aa.example.com -d bb.example.com --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/privkey.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/chain.pem 

[pnelsonsr]

Ok that didn't work as I didn't understand the --standalone option and the -d options. What did work was:

export GANDI_LIVEDNS_KEY="<api key here>"
acme.sh --issue --dns dns_gandi_livedns -d example.com -d aa.example.com -d bb.example.com -d cc.example.com -d dd.example.com --test

I was wondering if I should do a wildcard cert instead like: acme.sh --issue --dns dns_gandi_livedns -d example.com -d *.example.com --test

[pnelsonsr]

I went with the wildcard. It worked flawlessly across all 8 services! Nice!

export GANDI_LIVEDNS_KEY="<api key here>"
acme.sh --issue --dns dns_gandi_livedns -d example.com -d *.example.com --test

and then did an install (which I'm going to automate further later as there are different types of services that the cert needs installation into):

export CERTSDIR="<path>"
acme.sh --install-cert -d example.com -d *.example.com --cert-file ${CERTSDIR}/cert.pem --key-file ${CERTSDIR}/privkey.pem --fullchain-file ${CERTSDIR}/fullchain.pem --ca-file ${CERTSDIR}/chain.pem 

So pretty happy with the new process. It will be interesting when it comes time to renew.

[FernandoMiguel]

keep in mind the cert you issued is a staging cert, not a production one. you need to run export GANDI_LIVEDNS_KEY="<api key here>" acme.sh --issue --dns dns_gandi_livedns -d example.com -d *.example.com --force to issue a production cert

[pnelsonsr]

@FernandoMiguel Thanks! Yes, I was aware of the staging cert. Over the weekend I installed the production certs and everything is working. The dns_api thing is really cool. I had to get rid of the --test and add the --force.

[MAGICCC]

To be honest, don't use --force when you plan to use a cronjob. You will run into rate limits pretty fast when you request a new cert every day!

[FernandoMiguel]

The --force here was just to force replace the staging with prod cert ofc. Hope that was clear

[tehfink]

Edit: the problem below was due to not being the acme user. To fix on FreeBSD, first switch users, e.g.: su - acme.

export GANDI_LIVEDNS_KEY="" acme.sh --issue --dns dns_gandi_livedns -d example.com -d *.example.com --test

@pnelsonsr Thanks for the info. Which version of acme.sh did you use? I've installed the FreeBSD pkg, which reports version v2.7.8, but receive an error that the api hook for dns_gandi_livedns can't be found:

# export GANDI_Email="xxxx@sss.com"
# export GANDI_LIVEDNS_KEY="…"
# acme.sh --issue --staging --dns dns_gandi_livedns -d example.com --test
[Mon Jul 30 10:10:28 UTC 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Mon Jul 30 10:10:30 UTC 2018] Registering account
[Mon Jul 30 10:10:32 UTC 2018] Registered
[Mon Jul 30 10:10:32 UTC 2018] ACCOUNT_THUMBPRINT='…'
[Mon Jul 30 10:10:32 UTC 2018] Single domain='example.com'
[Mon Jul 30 10:10:32 UTC 2018] Getting domain auth token for each domain
[Mon Jul 30 10:10:32 UTC 2018] Getting webroot for domain='example.com'
[Mon Jul 30 10:10:32 UTC 2018] Getting new-authz for domain='example.com'
[Mon Jul 30 10:10:33 UTC 2018] The new-authz request is ok.
[Mon Jul 30 10:10:33 UTC 2018] Can not find dns api hook for: dns_gandi_livedns
[Mon Jul 30 10:10:33 UTC 2018] You need to add the txt record manually.
[Mon Jul 30 10:10:33 UTC 2018] Add the following TXT record:
[Mon Jul 30 10:10:33 UTC 2018] Domain: '_acme-challenge.example.com'
[Mon Jul 30 10:10:33 UTC 2018] TXT value: '-…'
[Mon Jul 30 10:10:33 UTC 2018] Please be aware that you prepend _acme-challenge. before your domain
[Mon Jul 30 10:10:33 UTC 2018] so the resulting subdomain will be: _acme-challenge.example.com
[Mon Jul 30 10:10:33 UTC 2018] Please add the TXT records to the domains, and re-run with --renew.
[Mon Jul 30 10:10:33 UTC 2018] Please add '--debug' or '--log' to check more details.
[Mon Jul 30 10:10:33 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
# ls -l /var/db/acme/.acme.sh/dnsapi/dns_gandi_livedns.sh 
-r-xr-xr-x  1 root  wheel  2915 Mar 29 13:39 /var/db/acme/.acme.sh/dnsapi/dns_gandi_livedns.sh

[gitbobo]

3.) You should use acme.sh --install-cert to install the certs somewhere (which is just copying it to another location) @MAGICCC ,--install-cert cannot used to wildcard cert like *.domain.com. And,--install-cert can only copy cert to one location.

[MAGICCC]

I am sure you can use --install-cert "*.example.org" and about the other problem https://github.com/Neilpang/acme.sh/issues/1901

[gitbobo]

@MAGICCC ,only .example.org can't cover .example.org.
`~/.acme.sh/acme.sh --install-cert -d .example.com -d example.com --dns ` is not supported now.

[MAGICCC]

I used example.org as base domain and *.example.org as altname so i can use acme.sh --install-cert /root/foo -d example.org --key-file /root/acme-certs/example.org/privkey.pem --fullchain-file /root/acme-certs/example.org/fullchain.pem --ca-file /root/acme-certs/example.org/chain.pem

Also without logs nobody can help