azukaar
commented
1 year ago Cosmos is using an embedded Certbot which only supports LE any reasons you prefer not to use it?
Closed ghost closed 1 year ago
azukaar
commented
1 year ago Cosmos is using an embedded Certbot which only supports LE any reasons you prefer not to use it?
scheibling
commented
1 year ago An option would probably be to use a more generalized ACME library like https://github.com/caddyserver/certmagic, or acme.sh
There are some reasons one would opt not to use letsencrypt, personally I find them to be sufficient, but with something like above you could use most ACME-compatible certificate issuers easily
azukaar
commented
1 year ago That would be quite a significant change, and for now the benefit to have an alternative just for the sake of having an alternative is not quite enough to justify this much work I am taking a note of it, and will consider it if it becomes more widely requested thanks for your contribution!
RedKage
commented
10 months ago I'm also looking for a ZeroSSL implementation. I started to play with Cosmos and I plan to migrate some of my servers to it. Though, I'm currently using acme.sh as well with ZeroSSL to generate ECDSA SSL certs. Using acme.sh would enable the users to use different signatures and cyphers.
But I think the real need may not be to implement acme.sh, but rather to have a way for us to use our "existing certs" and to import them in cosmos automatically. That way people could use whatever tools they like to generate certs.
I would keep using acme.sh with my cron job to generate a cert. But I need a way after the cert has been generated to import it to Cosmos. Maybe through some API for instance. Or maybe by supplying filesystem paths to the public and private cert files. Which Cosmos would import upon change. Maybe it's actually simpler.
I haven't looked deeper, I suspect it would currently be possible to access the Cosmos database and to inject the newly created certs directly maybe, but this feels hackish.
For now Let's Encrypt works fine for my use case. It's not a big deal.
azukaar
commented
10 months ago @RedKage If you have a cron job to generate a cert, you could use the same CRON job to manually edit the config file (in /var/lib/cosmos/) and restart Cosmos. No need to edit the DB. This way you could effectively import your cert from whatever tool you are using to generate them
RedKage
commented
10 months ago @RedKage If you have a cron job to generate a cert, you could use the same CRON job to manually edit the config file (in /var/lib/cosmos/) and restart Cosmos. No need to edit the DB. This way you could effectively import your cert from whatever tool you are using to generate them
It works great!
Here is a script I made
#!/bin/bash
scriptDir=$(dirname $0)
pushd "$scriptDir"
public="$(cat /cert.cer)"
private="$(cat /cert.key)"
expiry="$(openssl x509 -noout -enddate -in /cert.cer)"
# Remove "notAfter=" from the expiry output
expiry=${expiry//notAfter=/}
# Convert to ISO date
expiry=$(date -u -Iseconds --date "$expiry")
# Convert to milliseconds
expiry=${expiry/+00:00/.000000000Z}
# Update cosmos config
config=$(</var/lib/cosmos/cosmos.config.json)
cat <<< "$config" | jq --arg public "$public" --arg private "$private" --arg expiry "$expiry" \
'.HTTPConfig.TLSCert = $public | .HTTPConfig.TLSKey = $private | .HTTPConfig.TLSValidUntil = $expiry' > /var/lib/cosmos/cosmos.config.json
# Restart Cosmos
docker restart cosmos-server
popdGreat job make sure you set HTTPS mode to "Provided" too so Cosmos does not try to renew it itself
Feature Description
Cosmos looks brilliant and I am looking forward to trying it with a view of implementing it permanently on my server, however I wanted to see whether there could be support implemented for ZeroSSL certificates as an alternative for LetsEncrypt.
If you’re using acme.sh, it should be possible to plug the EAB credentials in and use ZeroSSL quite easily. :)
Thanks!