Bash script for Letsencrypt Certbot-auto renew certificate renewal

KenVjn

Active Member
Jan 11, 2019
13
2
43
33
Hi guys
I configured as https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Introduction and it's working (i used proxmox 6.1-3)

apt install certbot

apt -t buster-backports install certbot

certbot certonly

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mydomain.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.ga
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.ga/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.ga/privkey.pem
Your cert will expire on 2020-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key

systemctl restart pveproxy

/etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

Could someone help me to creat a bash script "renew-pve-certs.sh" for renew certificate auto ?
 
Last edited:
Here is my script /usr/local/bin/renew-pve-certs.sh

cat << EOF > /usr/local/bin/renew-pve-certs.sh
#!/bin/bash
certbot renew --no-self-upgrade
mv /etc/pve/local/pveproxy-ssl.pem /etc/pve/local/old-ssl/
mv /etc/pve/local/pveproxy-ssl.key /etc/pve/local/old-ssl/
cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key
service pveproxy restart
service pvedaemon restart
EOF

Make script executable
chmod +x /usr/local/bin/renew-pve-certs.sh

Than edit /etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

My question is : It would be necessary , if there is "certbot renew --no-self-upgrade" in the script ? (Because in crontab there is also the syntax: certbot renew --quiet --post-hook /path/to/file/script.sh)
 
  • Like
Reactions: Rocha Neto
I also had to keep by old script because I can't figure out how to configure it for DNS based authentication: my cluster is not visible from the Internet even if it can "go out" to the internet.

yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration ;)
 
yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration ;)
Indeed only good news:
- OP could already use builtin ACME support
- I'll be able soon !

All the best
EC
 
no, there is no hook mechanism.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!