From owner-freebsd-questions@freebsd.org Fri Jul 27 12:23:09 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B5F31048F88 for ; Fri, 27 Jul 2018 12:23:09 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B6EB71E3F for ; Fri, 27 Jul 2018 12:23:09 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wm0-x22a.google.com with SMTP id h20-v6so5247453wmb.4 for ; Fri, 27 Jul 2018 05:23:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=2azopgDTJqynxTaK5SqoLpQ6XVWa70qqkHUuCeCGPro=; b=U3I8kWS5VJZ7rdBNVxo5xAcq25FXcWE+qDusN6CrYj4rjGEEGK8V3cT1Tb/jkrsw0A RLxKQZchfIhpJV+oP2V4RkbHAxY/XPWsDpba+sIV08owM9s/rac8JMSNeVCckLmHSf5A LaBZK2gv/58T0oC7phFCcksyowj0Cs1jKrXc0mC0ZgDdGQIm/YtfvGIRwWcgrmbBTM5X hglC2grZWJLxzvbA2Fy0FA/OUP0xxnUrn8ZhLkKANtb2kuS0E5INCGbzGw952MBKOZRQ weG5f4BVO7ypPZ3D7ChScIoIPQHjYzEXW4F717JP5lx6pP/8RCRiobagZyUkhkkLAL8M 86UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2azopgDTJqynxTaK5SqoLpQ6XVWa70qqkHUuCeCGPro=; b=OlF99tF85b6KS1rLaC9If/YOc8OFy4Kt5+UKe0JzBVuRIrBsTBzOxqXtjWQKCyx3Wz qx99CLP7n/wpDSY0R4gD2D/ex2ROsg6Lw0yG/xrSsM9EkgJFqjC1J4EaK3gGZdMcD7k6 HeuCo/+CQeTCFC0yqvx2JgCsbyc3Ich/cxirz4cOq8IBkt/+pndH6Gv7cS5efTvjri02 iVGJy5CpuFGyYJTw6um67O+fZne+sjVVSNOxY0ZEeVU3ffT8BwW4+MSPZiebHRaH9GCm DZzNiVQMh5ZZr895Qr+zCGGNURkuymj2A1j4DPtZ49uKFtcZMciPDuYAyGYrYnrdoNCt I0oA== X-Gm-Message-State: AOUpUlE1RJ5YSSRbQPBYUIKjGtKhFBgT//6a/MLXgqNmASI3u3SoQmsj 4mQa+RtnsB/ZVjHHsbhYoIBiRCi0g4BH8b6Bomq6r7Ed X-Google-Smtp-Source: AAOMgpfr9jm7ylAmecuqdtGaTIisDRXqu2GYWexReYkBd1u60J+ktQ2Sk1vruoL1yJkYfTI/h3dWfZW2Kj+YHnZzm98= X-Received: by 2002:a1c:b213:: with SMTP id b19-v6mr3991504wmf.141.1532694187904; Fri, 27 Jul 2018 05:23:07 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:adf:e20c:0:0:0:0:0 with HTTP; Fri, 27 Jul 2018 05:23:07 -0700 (PDT) From: David Mehler Date: Fri, 27 Jul 2018 08:23:07 -0400 Message-ID: Subject: acme.sh and certificate deployment To: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2018 12:23:09 -0000 Hello, I'm really thinking about converting my existing letsencrypt effort from acme-client to acme.sh script. This is on FreeBSD 11.1 and I'm using apache 2.4, and postfix, and dovecot, I think those are the only tls-enabled services i've got. I like the fact that acme.sh can do a wildcard certificate as I only need one for the tld and not x for all subdomains. I do like that fact that it also can handle ECC curves. The thing that is holding me back is deployment, how do you deploy your tls certificates? Yesterday I did it manually but I only did it for one domain, copied the files where I wanted them and manually entered the tls information in apache's setup. I've got the cron script going so ideally i'd like to get a certificate renewed if needed cron takes care of that, then the certificate and key are deployed to where they need to go and the service or services are restarted. My second question and this one is a curiousity, the certificates that are made end with a .cer extension, can I change this in the script? Thanks. Dave.