Date: Thu, 18 Jan 2018 19:06:29 -0500 From: David Mehler <dave.mehler@gmail.com> To: Peter Boosten <peter@boosten.org> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: acme-client and multiple domains periodic renewal Message-ID: <CAPORhP4ks3%2BnnovsLo7EmjE0Sxq7s21zr6ciP4aYGUwWCMb2xg@mail.gmail.com> In-Reply-To: <E4D62E34-A9DD-4242-AB0B-575BB199782D@boosten.org> References: <CAPORhP4HzZedjTKq0bcUUTT%2BxUSPeEcR=h7-OfdjO84JRBChTg@mail.gmail.com> <21941967-64AB-4585-8F16-1323CF080E54@boosten.org> <CAPORhP5pgd%2BRL8v6SZ8YxQ9=qZ0F242y_OQ_LRxmHJpVcGyweA@mail.gmail.com> <E4D62E34-A9DD-4242-AB0B-575BB199782D@boosten.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
Thanks. I'm getting closer, by that I mean I've got the certificates
renewed, whether they will auto-renew I'll find out in three months.
Below is my renewing script, my deployment script which just restarts
apache since the certificates are in the same place, and my
periodic.conf file. If anyone sees anything wrong please let me know,
i'd like for 3 months down the road this to automatically renew.
To Peter, and maybe this should go offlist, could you send me a
complete virtual host definition sanitized of name? It seems like
we're doing the same thing, but your setup is working, mine isn't and
I'm wondering if i'm overdoing something. I'd appreciate it.
Thanks.
Dave.
# periodic.conf definition
weekly_acme_client_enable=3D"YES"
# Specify the renew script to run
weekly_acme_client_renewscript=3D"/usr/local/etc/acme/renewcerts"
# Specify the deploy script to run
weekly_acme_client_deployscript=3D"/usr/local/etc/acme/deploycerts"
renewcerts
#!/bin/sh -e
BASEDIR=3D"/usr/local/etc/acme"
SSLDIR=3D"/usr/local/etc/ssl/acme"
DOMAINSFILE=3D"${BASEDIR}/domains.txt"
ACME_FLAGS=3D"-v -b -e -C /usr/local/www/.well-known -m -O -n -N"
cat "${DOMAINSFILE}" | while read domain line ; do
set +e # RC=3D2 when time to expire > 30 days
acme-client ${ACME_FLAGS} ${domain} ${line}
RC=3D$?
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done
deploycerts
#!/bin/sh
set -e
service apache24 reload
On 1/18/18, Peter Boosten <peter@boosten.org> wrote:
> Hi David,
>
> I=E2=80=99ve defined the acme alias for every virtual host:
>
> <VirtualHost something>
>
> Alias /.well-known/acme-challenge "/usr/local/www/acme/"
>
> SSLCertificateFile =E2=80=A6
>
> SSLEngine on
> <IfModule mod_rewrite.c>
> RewriteEngine on
> RewriteCond %{HTTPS} !=3Don
> RewriteRule .* https://%{HTTP_HOST}/%{REQUEST_URI} [R=3D301,L,QSA]
> </IfModule>
>
> <Directory "/usr/local/www/acme/">
> Options None
> AllowOverride None
> ForceType text/plain
> Require all granted
> </Directory>
>
> </VirtualHost>
>
> The main difference between your and my configuration is the Alias. It to=
ok
> me a while to get this right.
>
> /usr/local/etc/acme/acme-client.sh holds this:
>
> BASEDIR=3D"/usr/local/etc/acme"
> SSLDIR=3D"/usr/local/etc/ssl/acme"
> DOMAINSFILE=3D"${BASEDIR}/domains.txt"
> CHALLENGEDIR=3D"/usr/local/www/acme"
>
> and
> domains.txt:
>
> domain.one www.domain.one sub.domain.one sub2.domain.one
>
> I did some troubleshooting by running the acme-client (in /usr/local/bin)
> manually (don=E2=80=99t forget the -s, or else you will be blocked for so=
me time).
>
> Peter
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP4ks3%2BnnovsLo7EmjE0Sxq7s21zr6ciP4aYGUwWCMb2xg>