Bash script for Letsencrypt Certbot-auto renew certificate renewal

[KenVjn]

Hi guys
I configured as https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Introduction and it's working (i used proxmox 6.1-3)

apt install certbot

apt -t buster-backports install certbot

certbot certonly

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mydomain.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.ga
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.ga/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.ga/privkey.pem
Your cert will expire on 2020-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key

systemctl restart pveproxy

/etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

Could someone help me to creat a bash script "renew-pve-certs.sh" for renew certificate auto ?

 

[KenVjn]

Here is my script /usr/local/bin/renew-pve-certs.sh

cat << EOF > /usr/local/bin/renew-pve-certs.sh
#!/bin/bash
certbot renew --no-self-upgrade
mv /etc/pve/local/pveproxy-ssl.pem /etc/pve/local/old-ssl/
mv /etc/pve/local/pveproxy-ssl.key /etc/pve/local/old-ssl/
cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key
service pveproxy restart
service pvedaemon restart
EOF

Make script executable
chmod +x /usr/local/bin/renew-pve-certs.sh

Than edit /etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

My question is : It would be necessary , if there is "certbot renew --no-self-upgrade" in the script ? (Because in crontab there is also the syntax: certbot renew --quiet --post-hook /path/to/file/script.sh)

 

[fabian]

I wonder why you use certbot and not the integrated ACME support which does exactly the same, and is configurable over the GUI? https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

 

[Etienne Charlier]

I wonder why you use certbot and not the integrated ACME support which does exactly the same, and is configurable over the GUI? https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

I also had to keep by old script because I can't figure out how to configure it for DNS based authentication: my cluster is not visible from the Internet even if it can "go out" to the internet.

 

[fabian]

I also had to keep by old script because I can't figure out how to configure it for DNS based authentication: my cluster is not visible from the Internet even if it can "go out" to the internet.

yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration

 

[Etienne Charlier]

yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration

Indeed only good news:
- OP could already use builtin ACME support
- I'll be able soon !

All the best
EC

 

[KenVjn]

I wonder why you use certbot and not the integrated ACME support which does exactly the same, and is configurable over the GUI? https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

i forgot about that

 

[alexskysilk]

I wonder why you use certbot and not the integrated ACME support which does exactly the same, and is configurable over the GUI? https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

Sorry for necroposting, but best I can tell is because there is no mechanism for pre/post hooks. Please tell me I'm wrong cause I'd love to have this as a single mechanism for cert deployment.

 

[fabian]

no, there is no hook mechanism.