Copy let's encrypt certificate to another server automatically

NethServer Version: 7.9.2009
I have a front and reverse proxy NS server which also generated the certificates for all domains it proxies to other NS servers. How can I automatically transfer the certificate to these server? Until know, I want into the /etc/letsencrypt/live/mydomain directories copied privkey.pem, chain.pem and cert.pem and imported them via the GUI, but this a manual process.

@carsten

Hello Carsten

You can add in a script triggered by the LetsEncrypt update script (=Software “Hook”).

I have this working at home for my NethServer’s AD (I need this for EcoDMS to be able to see / use AD users…).

My 2 cents
Andy

1 Like

Could you provide the script? Which files have to copied to which location? When I import the certificate by hand it has the .crt extension, but the let’ts encrypt certs have .pem. To I have to convert them first?

@carsten

Hi

I created the script with:

nano /etc/e-smith/events/certificate-update/S80push2ad

Note:

I need this for getting NethServer’s AD to use the LetsEncrypt Certs.
If you need more than one such job, just create copies with the appropriate name…

Script contents (Replace SERVER-FQDN with the real value, there should be a folder there…):

cp -f -p /etc/letsencrypt/live/SERVER-FQDN/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f -p /etc/letsencrypt/live/SERVER-FQDN/fullchain.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

Above, I only copied the files I need. If you need more or other files, adapt as needed.
The most important thing is: This is triggered automatically, whenever LE updates it’s certs…

Depending what your TARGET is (Another Server, an OPNsense firewall, a NAS) you might need diferent files, more importantly you might need different mechanisms to put the files in the right place (eg on OPNsense, there’s a script available!) due to permissions issues on the target device…

My 2 cents
Andy

3 Likes

@carsten

PS:

Don’t forget to set the executable permission on your script! :slight_smile:

My 2 cents
Andy

Hi Carsten,

mine is as following (skipped the part where I copy it to opnsense and execute a php script to import it there by ssh):

scp -P Port /etc/letsencrypt/live/domain.tld/privkey.pem root@dc.domain.tld:/var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem && scp -P Port /etc/letsencrypt/live/domain.tld/fullchain.pem root@dc.domain.tld:/var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem && ssh -p Port root@dc.domain.tld ‘systemctl -M nsdc restart samba’

Something it seems a lot of people don’t know is that you can run commands on a remote system using ssh. The syntax is simple enough, just ssh user@host command. So if you wanted to script copying a cert to a remote host, and then restart the web server, your script might have a few scp commands, followed by ssh root@neth-backup systemctl reload httpd.

Edit: which I see is used in the comment above mine, but thought it was worth making explicit.

1 Like