Due to changes done in march, the above path no longer works. I have included a couple of scripts that extract the required certificate and sends to the local PC/instance requiring the keys. This is for mesh central but will also work with frappe and other server on a split DNS network.
#!/bin/bash
# --- Configuration ---
# Path to Traefik's acme.json file
# Path to Traefik's acme.json file
ACME_JSON_PATH="/home/traefik1/.config/state/acme/acme.json" # Please verify this path as it depends on your instance
# Domain for the Mesh Central certificate
DOMAIN="mc.mydomain.co.nz"
# Mesh Central server details
MESH_SERVER_USER="your_ssh_user" # Replace with your SSH username for the Mesh server
MESH_SERVER_HOST="mesh_server_ip_or_hostname" # Replace with your Mesh server's IP or hostname
# Remote directory on Mesh Central server to store certs temporarily
REMOTE_TMP_DIR="/tmp/new_certs"
# --- Script ---
set -e # Exit immediately if a command exits with a non-zero status.
echo "Starting certificate sync for $DOMAIN..."
# Create a temporary directory for local cert files
TMP_DIR=$(mktemp -d)
# Ensure the temporary directory is cleaned up on exit
trap 'rm -rf -- "$TMP_DIR"' EXIT
# Extract certificate and key using jq, then decode from Base64
echo "Extracting and decoding certificate and key..."
jq -r --arg domain "$DOMAIN" '.acmeServer.Certificates[] | select(.domain.main == $domain) | .certificate' "$ACME_JSON_PATH" | base64 -d > "$TMP_DIR/cert.pem"
jq -r --arg domain "$DOMAIN" '.acmeServer.Certificates[] | select(.domain.main == $domain) | .key' "$ACME_JSON_PATH" | base64 -d > "$TMP_DIR/key.pem"
# Check if the files were created and are not empty
if [ ! -s "$TMP_DIR/cert.pem" ] || [ ! -s "$TMP_DIR/key.pem" ]; then
echo "Error: Failed to extract certificate or key for $DOMAIN. Please check the domain name and acme.json path."
exit 1
fi
echo "Certificate and key extracted successfully."
# Transfer the files to the Mesh Central server using scp
echo "Connecting to $MESH_SERVER_HOST to transfer files..."
ssh "$MESH_SERVER_USER@$MESH_SERVER_HOST" "mkdir -p $REMOTE_TMP_DIR"
scp "$TMP_DIR/cert.pem" "$TMP_DIR/key.pem" "$MESH_SERVER_USER@$MESH_SERVER_HOST:$REMOTE_TMP_DIR/"
echo "Files transferred successfully to $REMOTE_TMP_DIR on $MESH_SERVER_HOST."
echo "Certificate sync complete."
After saving the script, I make it executable. ie
chmod +x /usr/local/bin/sync_mesh_certs.sh
I then set up a cron job on the nethserver to run this each day, but it could be run weekly, or even monthly.
0 2 * * * /usr/local/bin/sync_mesh_certs.sh >> /var/log/sync_mesh_certs.log 2>
And for the script to run, setup ssh keys.
ssh-keygen -t rsa -b 4096
Then, copy the public key to your Mesh Central server:
bash ssh-copy-id your_ssh_user@mesh_server_ip_or_host
Part 2: Script for the Mesh Central Server This script will run on your Mesh Central server. It checks for new certificate files, moves them to the correct location, and restarts the Mesh Central service. I’ve called it update_mesh_cert.sh
#!/bin/bash
# --- Configuration ---
# Directory where new certs are copied by the sync script
SOURCE_DIR="/tmp/new_certs"
# Mesh Central's certificate and key file paths
# These paths are typically configured in Mesh Central's config.json
# Default location is often inside the meshcentral-data directory
MESH_CERT_PATH="/opt/meshcentral/meshcentral-data/webserver-cert-public.crt"
MESH_KEY_PATH="/opt/meshcentral/meshcentral-data/webserver-cert-private.key"
# --- Script ---
set -e
echo "Checking for new certificates in $SOURCE_DIR..."
# Check if source files exist and are not empty
if [ ! -s "$SOURCE_DIR/cert.pem" ] || [ ! -s "$SOURCE_DIR/key.pem" ]; then
echo "No new certificate files found. Exiting."
exit 0
fi
echo "New certificate files found. Updating..."
# Move the new certificate and key into place
mv "$SOURCE_DIR/cert.pem" "$MESH_CERT_PATH"
mv "$SOURCE_DIR/key.pem" "$MESH_KEY_PATH"
# Set correct permissions (optional, but good practice)
# The user running Mesh Central needs to be able to read these files.
# Adjust 'meshcentral_user' if you run it under a different account.
# chown meshcentral_user:meshcentral_user "$MESH_CERT_PATH" "$MESH_KEY_PATH"
chmod 600 "$MESH_KEY_PATH" # Private key should be readable only by the owner
echo "Certificates updated. Restarting Mesh Central service..."
# Restart Mesh Central service to apply the new certificates
# This command may vary based on your setup (e.g., pm2, systemd)
# Example for systemd:
systemctl restart meshcentral
# Example for PM2 (if you use it to manage Mesh Central):
# pm2 restart meshcentral
echo "Mesh Central service restarted. Update complete."
# Clean up the source directory
rm -rf "$SOURCE_DIR"
Save the script: Save the code above to /usr/local/bin/update_mesh_certs.sh on your Mesh Central server and make it executable.
chmod +x /usr/local/bin/update_mesh_cert.sh
And last setup the cron job.
5 2 * * * /usr/local/bin/update_mesh_certs.sh >> /var/log/update_mesh_cert.log 2>&1
Hope this helps someone. I’ts not 100% error proof, but the scripts above are a good starting point 