Deploy ssh certs/key using scp instead of stdout over ssh channel

[fradev]

Warning: Permanently added 'XXXXXX,AAAAAAA' (RSA) to the list of known hosts. [Tue Aug 24 11:10:00 UTC 2021] will copy fullchain to remote file YYYYY.crt [Tue Aug 24 11:10:00 UTC 2021] Submitting sequence of commands to remote server by ssh Warning: Permanently added 'XXXXXXX,AAAAAAAAAA' (RSA) to the list of known hosts. /bin/sh: File too large

Using default ssh hook, the deploy fails all times with this message /bin/sh: File too large that is coming from the cat of the certificate over the ssh session

I cannot control/debug the remote system, but I have seen that supports easily scp.

Added a simple/basic support for scp (which should be included in the default acme docker installation)

export DEPLOY_SSH_USE_SCP="" yes or no , default to no
export DEPLOY_SSH_SCP_CMD="" defaults to "scp -T -q "

[PMExtra]

I need this. @Neilpang Could you review and merge this feature ASAP, please.

[PMExtra]

According this doc: https://man7.org/linux/man-pages/man1/scp.1.html

 -T      Disable strict filename checking.  By default when copying
         files from a remote host to a local directory scp checks
         that the received filenames match those requested on the
         command-line to prevent the remote end from sending
         unexpected or unwanted files.  Because of differences in
         how various operating systems and shells interpret filename
         wildcards, these checks may cause wanted files to be
         rejected.  This option disables these checks at the expense
         of fully trusting that the server will not send unexpected
         filenames.

I think we don't need the -T option.

[fradev]

thanks, I corrected following the comments. for my usage, it works (docker) against an esxi server

/entry.sh --deploy --debug -d myserver.example.com --deploy-hook ssh [Tue Mar 1 17:18:01 UTC 2022] Lets find script dir. [Tue Mar 1 17:18:01 UTC 2022] SCRIPT='/root/.acme.sh/acme.sh' [Tue Mar 1 17:18:01 UTC 2022] _script='/root/.acme.sh/acme.sh' [Tue Mar 1 17:18:01 UTC 2022] _script_home='/root/.acme.sh' [Tue Mar 1 17:18:01 UTC 2022] Using default home:/root/.acme.sh [Tue Mar 1 17:18:01 UTC 2022] Using config home:/acme.sh https://github.com/acmesh-official/acme.sh v3.0.2 [Tue Mar 1 17:18:01 UTC 2022] Running cmd: deploy [Tue Mar 1 17:18:01 UTC 2022] Using config home:/acme.sh [Tue Mar 1 17:18:01 UTC 2022] default_acme_server [Tue Mar 1 17:18:01 UTC 2022] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Mar 1 17:18:01 UTC 2022] DOMAIN_PATH='/acme.sh/myserver.example.com' [Tue Mar 1 17:18:01 UTC 2022] _deployApi='/root/.acme.sh/deploy/ssh.sh' [Tue Mar 1 17:18:01 UTC 2022] _cdomain='myserver.example.com' [Tue Mar 1 17:18:01 UTC 2022] _ckey='/acme.sh/myserver.example.com/myserver.example.com.key' [Tue Mar 1 17:18:01 UTC 2022] _ccert='/acme.sh/myserver.example.com/myserver.example.com.cer' [Tue Mar 1 17:18:01 UTC 2022] _cca='/acme.sh/myserver.example.com/ca.cer' [Tue Mar 1 17:18:01 UTC 2022] _cfullchain='/acme.sh/myserver.example.com/fullchain.cer' [Tue Mar 1 17:18:02 UTC 2022] Deploy certificates to remote server [email protected] [Tue Mar 1 17:18:02 UTC 2022] Using scp as alternate method for copying files. Multicall Mode is implicit [Tue Mar 1 17:18:02 UTC 2022] Using MULTI_CALL mode... Required commands sent in multiple calls to remote host [Tue Mar 1 17:18:02 UTC 2022] Backup of old certificate files will be placed in remote directory .acme_ssh_deploy/myserver.example.com-backup-2022-03-01-17:18:02 [Tue Mar 1 17:18:02 UTC 2022] Backup directories erased after 180 days. [Tue Mar 1 17:18:02 UTC 2022] Remote commands to execute: mkdir -p .acme_ssh_deploy/myserver.example.com-backup-2022-03-01-17:18:02; { now="$(date -u +%s)"; for fn in .acme_ssh_deploy/myserver.example.com-backup*; do if [ -d "$fn" ] && [ "$(expr $now - $(date -ur $fn +%s) )" -ge "15552000" ]; then rm -rf "$fn"; echo "Backup $fn deleted as older than 180 days"; fi; done; }; ='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:02 UTC 2022] Submitting sequence of commands to remote server by ssh Warning: Permanently added 'myserver.example.com' (ECDSA) to the list of known hosts. [Tue Mar 1 17:18:02 UTC 2022] Remote commands to execute: cp /etc/vmware/ssl/rui.key .acme_ssh_deploy/myserver.example.com-backup-2022-03-01-17:18:02 >/dev/null;='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:02 UTC 2022] Submitting sequence of commands to remote server by ssh Warning: Permanently added 'myserver.example.com' (ECDSA) to the list of known hosts. [Tue Mar 1 17:18:02 UTC 2022] Remote scp source /acme.sh/myserver.example.com/myserver.example.com.key and destination /etc/vmware/ssl/rui.key using : scp -T -q -i /acme.sh/esxi-key-rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:02 UTC 2022] Submitting secure copy command : scp -q -i /acme.sh/esxi-key-rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [Tue Mar 1 17:18:03 UTC 2022] Remote commands to execute: cp /etc/vmware/ssl/rui.crt .acme_ssh_deploy/myserver.example.com-backup-2022-03-01-17:18:02 >/dev/null;='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:03 UTC 2022] Submitting sequence of commands to remote server by ssh Warning: Permanently added 'myserver.example.com' (ECDSA) to the list of known hosts. [Tue Mar 1 17:18:03 UTC 2022] Remote scp source /acme.sh/myserver.example.com/fullchain.cer and destination /etc/vmware/ssl/rui.crt using : scp -T -q -i /acme.sh/esxi-key-rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:03 UTC 2022] Submitting secure copy command : scp -q -i /acme.sh/esxi-key-rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [Tue Mar 1 17:18:03 UTC 2022] Will execute remote command /etc/init.d/hostd restart [Tue Mar 1 17:18:03 UTC 2022] Remote commands to execute: /etc/init.d/hostd restart;='[hidden](please add '--output-insecure' to see this value)' [Tue Mar 1 17:18:03 UTC 2022] Submitting sequence of commands to remote server by ssh Warning: Permanently added 'myserver.example.com' (ECDSA) to the list of known hosts. watchdog-hostd[528663]: Terminating watchdog process with PID 526345 525516 hostd stopped. hostd started. [Tue Mar 1 17:18:05 UTC 2022] Success

[PMExtra]

@Neilpang

[PMExtra]

Any news here? I'm waiting for this feature several months, I have to copy the certificates manually for now.

[Neilpang]

it doesn't need "Le_Deploy_ssh_user" (as well as all "Le_Deploy_ssh_*" variables) variable. try to remove them, but be careful to keep compatible with renewal.

[Neilpang]

Using just "DEPLOY_SSH_USER" and saving them in to the conf is enough.

[mrulke]

off-topic but not sure on where to ask @fradev what was the command you ran on the esx host with this. also have you got vcenter work if you tried. i cant seem to get update manger to work with public certs

[PMExtra]

@mrulke I make ESXi reload certificate with /etc/init.d/hostd restart, but I'm not sure if it works for vCenter.

[fradev]

@mrulke yes

DEPLOY_SSH_REMOTE_CMD | /etc/init.d/hostd restart

vcenter , as far as I remember has another way (you can see here https://blog.rylander.io/2020/12/05/automatically-update-vcenter-7-certificates-using-letsencrypt-and-acme-sh/)