Bash script for Letsencrypt Certbot-auto renew certificate renewal

K

KenVjn

Active Member
Jan 11, 2019
13
2
43
34
Hi guys
I configured as https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Introduction and it's working (i used proxmox 6.1-3)

apt install certbot

apt -t buster-backports install certbot

certbot certonly

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mydomain.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.ga
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.ga/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.ga/privkey.pem
Your cert will expire on 2020-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key

systemctl restart pveproxy

/etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

Could someone help me to creat a bash script "renew-pve-certs.sh" for renew certificate auto ?
 
Last edited:
Here is my script /usr/local/bin/renew-pve-certs.sh

cat << EOF > /usr/local/bin/renew-pve-certs.sh
#!/bin/bash
certbot renew --no-self-upgrade
mv /etc/pve/local/pveproxy-ssl.pem /etc/pve/local/old-ssl/
mv /etc/pve/local/pveproxy-ssl.key /etc/pve/local/old-ssl/
cp /etc/letsencrypt/live/mydomain.ga/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/mydomain.ga/privkey.pem /etc/pve/local/pveproxy-ssl.key
service pveproxy restart
service pvedaemon restart
EOF

Make script executable
chmod +x /usr/local/bin/renew-pve-certs.sh

Than edit /etc/crontab and add the following line:

30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh

My question is : It would be necessary , if there is "certbot renew --no-self-upgrade" in the script ? (Because in crontab there is also the syntax: certbot renew --quiet --post-hook /path/to/file/script.sh)
 
  • Like
Reactions: Rocha Neto
Etienne Charlier said:
I also had to keep by old script because I can't figure out how to configure it for DNS based authentication: my cluster is not visible from the Internet even if it can "go out" to the internet.
Click to expand...

yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration ;)
 
fabian said:
yes, that is not yet supported by the built-in ACME support (but it is in the works). the OP uses standalone / http challenge though, which works perfectly fine with the built-in integration ;)
Click to expand...
Indeed only good news:
- OP could already use builtin ACME support
- I'll be able soon !

All the best
EC
 
no, there is no hook mechanism.
 
You must log in or register to reply here.
Top Bottom