I have a Nethserver installation behind a firewall that won’t allow inbound HTTP connections, so the built-in Let’s Encrypt support won’t work. I’m still wanting to obtain a Let’s Encrypt cert, but I’ll do it using acme.sh and DNS validation–that much is easy enough. That leaves two questions, though:
Is there a preferred place for the cert/chain/key to be saved? I assume these can be set with db properties, but some locations would be better than others, no doubt.
What event reconfigures whatever services are using a TLS cert, to use a new one?
Sure, but I can’t automate that. And looks like the relevant config entries are under the pki key in the config database. Looks straightforward enough.