lego
lego copied to clipboard
go-acme
run, renew and --days conceptual issue
i've a problem understanding how to initially get certificates and how to renew them when doing script based automation.
-
my primary problem is, why does a
runcall 'change' the already existing and correct certificates at all? why would anyone want that? the output below shows that the files were changed. -
why does
runnot support--days=15? what are the pre-conditions torun, should i manually check if there is a certificate file and a key? or should i first try torenewit, and if that fails call therun?
a call to run
when i call the run command it changes my certificates... why?
root@mail /e/n/nixcloud-webservices# md5sum /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/*
72ff023cded4240a0d4d9589f8b72d22 /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt
1a0c61157751e90ca73c58279f2ec64f /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.json
187edad9763b5ed746fb4970c2951aac /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.key
root@mail /e/n/nixcloud-webservices# systemctl restart nixcloud.TLS-acmeSupplied-mail.nix.lt.service
root@mail /e/n/nixcloud-webservices# md5sum /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/*
cd0b2410ba34dd80d8e055213baee1d9 /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt
9b7d9b1c1d45b26a4e5111e158031cda /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.json
1055aa1c3e6fb727e5341527ef784d7a /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.key
my code
at the moment i'm running this code:
#! /nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/bash -e
cd /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied
#if [[ ! -e "/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt" ]]; then
echo "initial lego certificate query"
/nix/store/9p7z4jqx46jbyc03593gw289jrm0l2k2-lego-1.0.1-bin/bin/lego --domains="mail.nix.lt" --email="[email protected]" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/mail.nix.lt/challenges" --path="/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13" --accept-tos --server="https://acme-staging-v02.api.letsencrypt.org/directory" run
#fi
echo "lego certificate renewal check"
/nix/store/9p7z4jqx46jbyc03593gw289jrm0l2k2-lego-1.0.1-bin/bin/lego --domains="mail.nix.lt" --email="[email protected]" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/mail.nix.lt/challenges" --path="/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13" --accept-tos --server="https://acme-staging-v02.api.letsencrypt.org/directory" renew --days=15
also: why is --days=15 not a default? why would i want to update the certificates on every call by default?
oh and the examples on the webpage, https://github.com/xenolf/lego#cli-example, are inconsistent in parameter handling. should it not be --days=15 in lego --email="[email protected]" --domains="example.com" renew --days 30 when all the other arguments use a --foo=bar syntax?
just for the record, my new code is now:
script = ''
cd ${stateDir}/${identifier}/acmeSupplied
echo "lego certificate renewal check"
set +e
${pkgs.nixcloud.lego}/bin/lego ${allDomains} --email="${c.email}" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/${identifier}/challenges" --path="${path}" --accept-tos --server="${c.acmeApiEndpoint}" renew --days=15
status=$?
echo "return code was $status"
set -e
if [ "$status" != "0" ]; then
echo "initial lego certificate query"
${pkgs.nixcloud.lego}/bin/lego ${allDomains} --email="${c.email}" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/${identifier}/challenges" --path="${path}" --accept-tos --server="${c.acmeApiEndpoint}" run
fi
'';
this is an ugly hack but until this is sorted it works.
Hi. I use the following logic in my script:
LEGOCMD=run
crtChkSum=NA
if ( (certificate.crt exist) and ((SANs in the certificate.crt) == (required domains)) ) {
crtChkSum= md5(certificate)
LEGOCMD="renew --days 45"
}
lego --all-other-options $LEGOCMD
if ( crtChkSum == (md5(certificate)) ) exit # certificate not changed
# perform new certificate actions like bounce webserver, send emails, format c:, etc ...
Hi. I use the following logic in my script:
LEGOCMD=run crtChkSum=NA if ( (certificate.crt exist) and ((SANs in the certificate.crt) == (required domains)) ) { crtChkSum= md5(certificate) LEGOCMD="renew --days 45" } lego --all-other-options $LEGOCMD if ( crtChkSum == (md5(certificate)) ) exit # certificate not changed # perform new certificate actions like bounce webserver, send emails, format c:, etc ...
Do you still use this logic today? Would you mind sharing your code, in particular the "SANs in the certificate.crt" part?
I found that the following code does the trick but you may have something simpler/cleaner to share.
openssl x509 -text -in example.com.crt -noout | perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'
