acmesh-official
--install-cert doesn't properly honor --home directory
Steps to reproduce
Fixed my issue listed in #2484 and was able to properly install and issue certs to proper directories.
Command used was:
./acme.sh --install --home /tmp/mnt/flash_drive/opt/acme --config-home /tmp/mnt/flash_drive/opt/acme/config --cert-home /tmp/mnt/flash_drive/opt/acme/cert
However, when issuing the following command we get:
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --home "/tmp/mnt/flash_drive/opt/acme/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/certs/intechra
l.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Tue Sep 17 14:01:54 DST 2019] The domain 'mydomain.com' is not a cert name. You must use the cert name to specify the cert to install.
[Tue Sep 17 14:01:54 DST 2019] Can not find path:'/tmp/mnt/flash_drive/opt/acme//mydomain.com'
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme#
Command must be changed to the following to work:
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --home "/tmp/mnt/flash_drive/opt/acme/cert/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/certs/int
echral.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Tue Sep 17 14:02:45 DST 2019] Installing cert to:/tmp/mnt/flash_drive/etc/ssl/certs/mydomain.com.pem
[Tue Sep 17 14:02:45 DST 2019] Installing key to:/tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key
[Tue Sep 17 14:02:45 DST 2019] Run reload cmd: nginx -s reload
[Tue Sep 17 14:02:45 DST 2019] Reload success
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme#
I don't believe we should have to change the home location to the certs directory. Shouldn't home properly find CERT_HOME in account.conf and do the work from there.
thank you
account.conf is in the CERT_HOME. So, if you use a customized CERT_HOME, please use --cert-home
account.conf appears to be in the directory specified via "--config-home" during the install command. Additionally, the options page states
--certhome Specifies the home dir to save all the certs, only valid for '--install' command.
That being said, all of the below seem to work:
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --home "/tmp/mnt/flash_drive/opt/acme/cert/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/certs/int
echral.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Wed Sep 18 09:25:06 DST 2019] Installing cert to:/tmp/mnt/flash_drive/etc/ssl/certs/mydomain.com.pem
[Wed Sep 18 09:25:06 DST 2019] Installing key to:/tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key
[Wed Sep 18 09:25:06 DST 2019] Run reload cmd: nginx -s reload
[Wed Sep 18 09:25:06 DST 2019] Reload success
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --certhome "/tmp/mnt/flash_drive/opt/acme/cert/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/certs
/mydomain.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Wed Sep 18 09:25:16 DST 2019] Installing cert to:/tmp/mnt/flash_drive/etc/ssl/certs/mydomain.com.pem
[Wed Sep 18 09:25:16 DST 2019] Installing key to:/tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key
[Wed Sep 18 09:25:16 DST 2019] Run reload cmd: nginx -s reload
[Wed Sep 18 09:25:16 DST 2019] Reload success
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --cert-home "/tmp/mnt/flash_drive/opt/acme/cert/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/cert
s/mydomain.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Wed Sep 18 09:25:25 DST 2019] Installing cert to:/tmp/mnt/flash_drive/etc/ssl/certs/mydomain.com.pem
[Wed Sep 18 09:25:26 DST 2019] Installing key to:/tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key
[Wed Sep 18 09:25:26 DST 2019] Run reload cmd: nginx -s reload
[Wed Sep 18 09:25:26 DST 2019] Reload success
Even this appears to work:
admin@unknownsoldier:/tmp/mnt/flash_drive/opt/acme# ./acme.sh --config-home "/tmp/mnt/flash_drive/opt/acme/cert/" --install-cert -d mydomain.com --cert-file /tmp/mnt/flash_drive/etc/ssl/ce
rts/mydomain.com.pem --key-file /tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key --reloadCmd "nginx -s reload"
[Wed Sep 18 09:27:48 DST 2019] Installing cert to:/tmp/mnt/flash_drive/etc/ssl/certs/mydomain.com.pem
[Wed Sep 18 09:27:48 DST 2019] Installing key to:/tmp/mnt/flash_drive/etc/ssl/private/mydomain.com.key
[Wed Sep 18 09:27:49 DST 2019] Run reload cmd: nginx -s reload
[Wed Sep 18 09:27:49 DST 2019] Reload success
The --config-home parameter isn't even documented in the options page and the other ones are scarcely documented. What is meant to be the difference between --home and --config-home and is the proper syntax --cert-home or --certhome?
I'm also looking for information on what the --cron syntax actually does and can it be combined with the syntax above to --install-cert to different directories and the reloadcmd?
thanks
https://github.com/Neilpang/acme.sh/wiki/How-to-install
Exactly, this page is contradictory to the experienced behavior:
--config-home is a writable folder, acme.sh will write all the files(including cert/keys, configs) there. By default, it's in --home
--cert-home is a customized dir to save the certs you issue. By default, it's saved in --config-home.
So based on the above text, the only thing going into the --cert-home is the certificates.
All "config" files as per the above are in --config-home (including account.conf).
I have validated this by the install.
But above you state:
account.conf is in the CERT_HOME. So, if you use a customized CERT_HOME, please use --cert-home
But this is not correct. account.conf isn't placed in --cert-home, it is placed in --config-home.
I don't have an issue having to specify --cert-home if that is necessary. But, it would seem to me that since account.conf has the following directive:
CERT_HOME=xxxxx
then, pointing the application to the --config-home (or simply --home as it is the default for the config location), the application would use the information found within the CERT_HOME directive. After all, why write settings to a .conf file only to have to specify them on every run of the application? Wouldn't it make more sense to simply point the application to the appropriate .conf file and it would use the parameters therein (unless over-ridden from the command line as well)?
Apologies, but the documentation is conflicting: https://github.com/Neilpang/acme.sh/wiki/Options-and-Params and https://github.com/Neilpang/acme.sh/wiki/How-to-install
For instance, the former specifies "--certhome" while the latter instead uses "--cert-home" Only the latter mentions "--config-home" None of them properly explain "--accountconf". Is this to override the .conf file even if specifying the --config-home parameter?
I realize that many users probably don't have these issues, but on a system which doesn't have writable default locations it is critical to use these parameters properly and the documentation doesn't seem very high on details.
thanks for your time.
But this is not correct. account.conf isn't placed in --cert-home, it is placed in --config-home.
Yes, it's --config-home. It was just a memory mistake.
The wiki is update.
From the larger to the smaller:
--home > --config-home > --cert-home
acme.sh will find by the order at start up.
I'm going to necro-post here as facing the same issue, I've installed acme.sh with the following advanced install directives:
./acme.sh --install \
--home ~myUsername/scripts/acme.sh \
--config-home ~myUsername/scripts/acme.sh/data \
--cert-home ~myUsername/scripts/acme.sh/data \
--accountemail "[email protected]" \
--nocron
Based on wiki, I expect acme.sh will be saving certificates in --cert-home specified "~myUsername/scripts/acme.sh/data", whilst based on the above I'm unsure if I shall read that it'd first try --home, i.e. "~myUsername/scripts/acme.sh". Either way, none of the two behaviour are honoured, specifically:
- acme.sh.env in "~myUsername/scripts/acme.sh" shows the following and does not reference --home - I assume this is expected as that's simply the installation path, while, quoting https://github.com/acmesh-official/acme.sh/wiki/How-to-install , --config-home is a writable folder, acme.sh will write all the files(including cert/keys, configs) there. By default, it's in --home , and you'd expect this is the folder where certificates are going to be saved as per installation setup.
cat acme.sh.env
export LE_WORKING_DIR="/var/services/homes/myUsername/scripts/acme.sh"
export LE_CONFIG_HOME="/var/services/homes/myUsername/scripts/acme.sh/data"
alias acme.sh="/var/services/homes/myUsername/scripts/acme.sh/acme.sh --config-home '/var/services/homes/myUsername/scripts/acme.sh/data'"
- account.conf in "" shows limited reference to the settings with LOG_FILE referring to the config--home set at installation, I assume this is expected.
cat account.conf
#LOG_FILE="/var/services/homes/myUsername/scripts/acme.sh/data/acme.sh.log"
#LOG_LEVEL=1
#AUTO_UPGRADE="1"
#NO_TIMESTAMP=1
ACCOUNT_EMAIL='[email protected]'
UPGRADE_HASH='ebaa39b03facfa1a2bafae0ea1ffc8ab08dce8e9'
- Running
sh ~myUsername/scripts/acme.sh/acme.sh --set-default-ca --server letsencryptsaves certificates in"/root/.acme.sh/" - why is this the case?
[Sat Apr 13 02:12:08 PM BST 2024] Your cert is in: /root/.acme.sh/myDomain.com_ecc/myDomain.com.cer
[Sat Apr 13 02:12:08 PM BST 2024] Your cert key is in: /root/.acme.sh/myDomain.com_ecc/myDomain.com.key
[Sat Apr 13 02:12:08 PM BST 2024] The intermediate CA cert is in: /root/.acme.sh/myDomain.com_ecc/ca.cer
[Sat Apr 13 02:12:08 PM BST 2024] And the full chain certs is there: /root/.acme.sh/myDomain.com_ecc/fullchain.cer
Thanks a lot in advance!
