From owner-freebsd-questions@freebsd.org Fri Jan 19 00:06:31 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD6D9EB50B4 for ; Fri, 19 Jan 2018 00:06:31 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5040868A8E for ; Fri, 19 Jan 2018 00:06:31 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x22c.google.com with SMTP id x1so20182649wrb.5 for ; Thu, 18 Jan 2018 16:06:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fjDjb2wqQ//qQV6qmFZTyY/1ejKktYHuXil5RUeBSeY=; b=rFPSW3RJLwHl/LP9+EujskgbIu1LVXW3Epm+45FwVDZSdphEBGzj++BKilJE8sCSxN C8IbHCXGYDhEVsp6SMz0u6niBD4SZe7aSai/WHonU1EOTjMFF4Z2GIcPzLSXfEoWwC/r JJu56Ckai7NNOES6UV6DMcIq0re9MRiGroa1oUSG+cwGHfQvg5P9FCA8WjOSNKyobLsR OdBmjUiSwah1GcWlhOALR5LYMidUTv2SZIl8QH9Ud/tF4SP8qarmsYVIPQScXN1zeMXM MJ0LxNSK1F7DkrlWH+Mqs+rrm0XJ6XtaFjkrDnB4Ia6LyushoDsb4kJB4IGS7YHOpDhp c2Vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fjDjb2wqQ//qQV6qmFZTyY/1ejKktYHuXil5RUeBSeY=; b=etA8aQvIYr+GQSMPE7uTPe6qZQHT2EEpn10Uubh33fl+Yi3j3t/cGiz+p06KGpGG/l qj/dK14scWwYsTjWSnARKJJPsZfrUpcgLW6480nT5DcpXEPYLn6yaS5ogudtcgMIaJqq 7+J36Plxn+y8HFhMyh57JJN9XWUoEmP7/FQabcqsqpX9XCiKRMMqvFuIsNvZld2lcz1Z /BayMw31OdvwYi9eV1vgV7sX5/swqrXdeI8zdOeOzeQAenVwN+RGBNNAADB9Y8wahH9V hfUYiMTv4fsIbd2ugTvVqJgT6SRa87sXTZUEpwlDn/Ny4/Rr9gWGFYr/KY2ph9SSqCMh IsQQ== X-Gm-Message-State: AKwxyteApwcPJKo2MPy1MzMoYk5dYSo0poAo3lnfR3Atiy5cOrVwuxa5 a7SsxkSXxW2rFgZV0yGRBHzFExaLR7bWixT2ToA= X-Google-Smtp-Source: ACJfBoulLLMdCib4yVBqgRn39T2DdqPR8rIKk9HZ9SHvMppCzYvnRC7cTLpU2LmwbMhC4w8ybxJG43dotLIEU+73XCY= X-Received: by 10.223.161.65 with SMTP id r1mr7179546wrr.235.1516320389749; Thu, 18 Jan 2018 16:06:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.139.194 with HTTP; Thu, 18 Jan 2018 16:06:29 -0800 (PST) In-Reply-To: References: <21941967-64AB-4585-8F16-1323CF080E54@boosten.org> From: David Mehler Date: Thu, 18 Jan 2018 19:06:29 -0500 Message-ID: Subject: Re: acme-client and multiple domains periodic renewal To: Peter Boosten Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2018 00:06:31 -0000 Hello, Thanks. I'm getting closer, by that I mean I've got the certificates renewed, whether they will auto-renew I'll find out in three months. Below is my renewing script, my deployment script which just restarts apache since the certificates are in the same place, and my periodic.conf file. If anyone sees anything wrong please let me know, i'd like for 3 months down the road this to automatically renew. To Peter, and maybe this should go offlist, could you send me a complete virtual host definition sanitized of name? It seems like we're doing the same thing, but your setup is working, mine isn't and I'm wondering if i'm overdoing something. I'd appreciate it. Thanks. Dave. # periodic.conf definition weekly_acme_client_enable=3D"YES" # Specify the renew script to run weekly_acme_client_renewscript=3D"/usr/local/etc/acme/renewcerts" # Specify the deploy script to run weekly_acme_client_deployscript=3D"/usr/local/etc/acme/deploycerts" renewcerts #!/bin/sh -e BASEDIR=3D"/usr/local/etc/acme" SSLDIR=3D"/usr/local/etc/ssl/acme" DOMAINSFILE=3D"${BASEDIR}/domains.txt" ACME_FLAGS=3D"-v -b -e -C /usr/local/www/.well-known -m -O -n -N" cat "${DOMAINSFILE}" | while read domain line ; do set +e # RC=3D2 when time to expire > 30 days acme-client ${ACME_FLAGS} ${domain} ${line} RC=3D$? set -e [ $RC -ne 0 -a $RC -ne 2 ] && exit $RC done deploycerts #!/bin/sh set -e service apache24 reload On 1/18/18, Peter Boosten wrote: > Hi David, > > I=E2=80=99ve defined the acme alias for every virtual host: > > > > Alias /.well-known/acme-challenge "/usr/local/www/acme/" > > SSLCertificateFile =E2=80=A6 > > SSLEngine on > > RewriteEngine on > RewriteCond %{HTTPS} !=3Don > RewriteRule .* https://%{HTTP_HOST}/%{REQUEST_URI} [R=3D301,L,QSA] > > > > Options None > AllowOverride None > ForceType text/plain > Require all granted > > > > > The main difference between your and my configuration is the Alias. It to= ok > me a while to get this right. > > /usr/local/etc/acme/acme-client.sh holds this: > > BASEDIR=3D"/usr/local/etc/acme" > SSLDIR=3D"/usr/local/etc/ssl/acme" > DOMAINSFILE=3D"${BASEDIR}/domains.txt" > CHALLENGEDIR=3D"/usr/local/www/acme" > > and > domains.txt: > > domain.one www.domain.one sub.domain.one sub2.domain.one > > I did some troubleshooting by running the acme-client (in /usr/local/bin) > manually (don=E2=80=99t forget the -s, or else you will be blocked for so= me time). > > Peter > > >