From owner-freebsd-questions@freebsd.org Fri Jul 27 15:04:35 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BDE98104DD50 for ; Fri, 27 Jul 2018 15:04:35 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3231979278 for ; Fri, 27 Jul 2018 15:04:34 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id w6RF4HjQ071828 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 27 Jul 2018 17:04:25 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: acme.sh and certificate deployment To: freebsd-questions@freebsd.org, dave.mehler@gmail.com References: From: Andrea Venturoli Message-ID: <120e2cd3-b6a4-ac3d-714e-8597b88f95ed@netfence.it> Date: Fri, 27 Jul 2018 17:04:17 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2018 15:04:35 -0000 On 7/27/18 2:23 PM, David Mehler wrote: > The thing that is holding me back is deployment, how do you deploy > your tls certificates? You once do "acme.sh --install-cert ..." Then let "acme.sh --cron" do the rest periodically. > Yesterday I did it manually but I only did it > for one domain, copied the files where I wanted them and manually > entered the tls information in apache's setup. You'll still need to set up Apache (or other software) correctly, but "acme.sh --install-cert" will copy them for you. > I've got the cron script going so ideally i'd like to get a > certificate renewed if needed cron takes care of that, then the > certificate and key are deployed to where they need to go and the > service or services are restarted. That's exactly what "acme.sh --cron" does. > My second question and this one is a curiousity, the certificates that > are made end with a .cer extension, can I change this in the script? Yes and no. AFAIK, in acme.sh database they'll be .cer, but, since you shouldn't mess directly with it, this should not matter. When you use "acme.sh --install-cert" you can rename them as you like. bye av.