search

alxwolf / ubios-cert

Manage SSL / TLS certificates with acme.sh (Let's Encrypt, ZeroSSL) for Ubiquiti UbiOS firmwares
MIT License
170 stars 20 forks source link

How to update acme.sh #16

Closed tackynugget closed 2 years ago

tackynugget commented 2 years ago

Hi, I noticed there is a new version of the acme.sh script (3.0.2) and was wondering whether/how this implementation might accommodate updates to the acme.sh script.

I have acme.sh deployed on another platform and I can see the script file there, but I could not find the acme.sh script via the find command (find / -name acme.sh) command or in the directory on the UDM.

# ls -la /mnt/data/ubios-cert/acme.sh/
total 28
drwx------    4 nobody   nogroup       4096 Jan 15 06:00 .
drwxrwxrwx    4 root     root          4096 Dec 19 15:44 ..
-rw-------    1 root     root           338 Jan 15 06:00 account.conf
-rw-r--r--    1 root     root          1246 Jan 15 06:00 acme.sh.log
drwxr-xr-x    3 root     root          4096 Dec 19 15:45 ca
-rw-r--r--    1 root     root           490 Jan  9 06:00 http.header
drwxr-xr-x    2 root     root          4096 Dec 26 06:00 subdomain.domain.tld

I noticed ubios-cert.sh uses podman to load the "neilpang/acme.sh" image, but I wasn't sure how it obtains the image. I'm new to all of this and was wondering if adding something like podman pull neilpang/acme.sh:latest somewhere at launch could ensure the latest version was automatically loaded.

alxwolf commented 2 years ago

Hi @OverengineeredNetwork,

you cannot find the acme.shcommand on UDM Pro as it is transient (for lack of a better word for that) with the podman container.

Each time the script uses the acme.sh command, it will start the podman container and in this container, the acme.sh command exists.

The standard run common is:

podman run --env-file=/mnt/data/ubios-cert/ubios-cert.env -it --net=host --rm -v /mnt/data/ubios-cert/acme.sh:/acme.sh neilpang/acme.sh

When done, the container will be deleted again (parameter --rm), but the image will remain.

One can start a shell in the container by adding the sh command to the podman run command and then check what's in the container and run the acme.sh command directly without starting / stopping the container.

podman run --env-file=/mnt/data/ubios-cert/ubios-cert.env -it --net=host --rm -v /mnt/data/ubios-cert/acme.sh:/acme.sh neilpang/acme.sh sh

Once in the shell, one can check the version of acme.sh:

[UDM] root@udm-pro:/mnt/data/ubios-cert/acme.sh# podman run --env-file=/mnt/data/ubios-cert/ubios-cert.env -it --net=host --rm -v /mnt/data/ubios-cert/acme.sh:/acme.sh neilpang/acme.sh sh
/ # ls
acme.sh  bin  dev  entry.sh  etc  home  lib  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
/ # acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.2
/ #

On the topic of updates you're right, the very first call of podman will pull the most recent docker image from the repository - with "most recent" meaning "current at this point in time". podman pull neilpang/acme.sh:latest would ensure manually you have the latest container on your UDM Pro.

podman man page states If an image tag is not specified, podman pull defaults to the image with the latest tag (if it exists) and pulls it.

So whenever Neil decides to put the latest tag on a release, podman will fetch it, when run by the script - no need to manually make sure it is pulled.

This is seen when intentionally pulling an old version (like 3.0.0) and then calling the script. It will first pull the "latest" tagged version and then run.

[UDM] root@udm-pro:/mnt/data/ubios-cert/acme.sh# docker pull neilpang/acme.sh:3.0.0
Trying to pull docker.io/neilpang/acme.sh:3.0.0...
Getting image source signatures
Copying blob d2f70382dc9a done
Copying blob c7bc18c2edb0 done
Copying blob c94e29794c12 done
Copying blob 63c046bf2486 done
Copying blob 93fb9f1f1079 done
Copying blob 03d9b9d729ef done
Copying blob e749c1bf7815 done
Copying config f07cc2e500 done
Writing manifest to image destination
Storing signatures
f07cc2e500fa88382dfdcf4edb28ebdf503730757c235e34246f7f1ce60335ae

[UDM] root@udm-pro:/mnt/data/ubios-cert/acme.sh# ../ubios-cert.sh renew
Attempting certificate renewal
Removed old logfile
Trying to pull docker.io/neilpang/acme.sh...
Getting image source signatures
Copying blob 250732641fb2 done
Copying blob 9b3977197b4f done
Copying blob 386752482d90 done
Copying blob e490edf96252 done
Copying blob 826cda1d18f1 done
Copying blob 55d683a9fbdc done
Copying blob 043930617f8a done
Copying config a01b581157 done
Writing manifest to image destination
Storing signatures
[Sat Jan 15 20:42:42 UTC 2022] Renew: 'mydomain.tld'
[Sat Jan 15 20:42:42 UTC 2022] Skip, Next renewal time is: Thu Mar 1 14:09:49 UTC 2022
[Sat Jan 15 20:42:42 UTC 2022] Add '--force' to force to renew.
[UDM] root@udm-pro:/mnt/data/ubios-cert/acme.sh#

Regards Alex

tackynugget commented 2 years ago

Thanks for the explanation!

I was wondering if that was the case.

So, if I'm following--every time your script runs, it calls acme.sh via a container which already pulls the latest version of acme.sh?

alxwolf commented 2 years ago

Yes, that's my understanding... "latest" tag is checked on every run and pulled when updated by the maintainer (Neil Pang).