Automating ACME Letsencrypt

remis4 · Mar 1, 2017, 4:00 AM

New to forum and first post. Apologies if this is wrong location or already answered (although i did some research first)

Thank you for the ACME pkg!

I successfully got SSL certs, but am now looking to automate the process since its 90 day intervals. The General tab of of ACME states:

Enable Acme client renewal job. This will configure cron to renew certificates once a day at 3:16. Keeping track of the last succesfull renewal and the number of days set after to renew again. When renewal happens a service can be restarted or a shell script run to load the new certificate for services that need it, if needed this needs to be configured as a action under the certificate settings.

A couple questions:
1. I found the certs in /tmp/acme/<domain>… Since this is tmp, is it deleted upon reboot, which could cause a loss of certs?

2. Are the certs copied anywhere else? I am looking into a shell scrip to run to update HAProxy whenever I click issue/renew. Where are haproxy config files, im guessing a shell script with a couple sed cmds to replace dated certs is all thats needed, but please let me know what else i will need to consider.</domain>

jimp · Mar 1, 2017, 2:38 PM

The certificates are stored in the firewall's config.xml - check in the certificate manager in the GUI and you'll find them there. HAProxy pulls them from there as well. If HAProxy is set to use them you should only have to restart HAProxy after the renewal. Assuming you configured the HAProxy package using the package GUI and not manually.

joppybt · Mar 1, 2017, 7:37 PM

A small hijack of this topic: I have the same problem with the Squid reverse proxy. Renewal of the certificate works fine but Squid keeps serving the old certificate.

The renew action is set to /usr/local/etc/rc.d/squid.sh restart but that does not help. Even when I ssh into the box and do this restart manually it makes no difference.
What however does help is pressing Save in the Squid reverse proxy page.

My guess: Squid makes a local copy of the certificates in "/usr/local/etc/squid" and only refreshes this on Save, not on reload.
Is there a way to do this 'Save' as renewal action after the ACME refresh?

remis4 · Mar 2, 2017, 3:20 AM

Thank you for the replies.

Im testing some commands to automate restarting haproxy in a couple of instances (When my cert renews and when my WAN IP changes). We had some power outages this week and my WAN ip has changed 3 times (UPS keeps pfsense up, but remote VZ gateway went down and my ip changed). I noticed i needed to restart HAProxy for it to successfully route to my webservers after my WAN ip would change. I have python script to update godaddy A record if a change is detected, and at the end of the script i would like to restart haproxy, but i got the following error (still testing)

: /usr/local/bin/python2.7

from subprocess import call
call(["/usr/local/etc/rc.d/haproxy.sh", "restart"])
Restarting haproxy.
Starting haproxy.
cannot open command socket, haproxy not running? (Permission denied)0

The logs read:
Mar 1 22:06:04 php-cgi haproxy: startup error output!: [ALERT] 059/220604 (79520) : Starting frontend GLOBAL: cannot switch final and temporary UNIX sockets [/tmp/haproxy.socket]
Mar 1 22:06:04 php-cgi haproxy: started new pid:89543
Mar 1 22:06:04 php-cgi haproxy: reload old pid:89543

any advice is appreciated!

remis4 · Mar 4, 2017, 12:39 AM

So the ACME action section has THE example i was looking for to restart haproxy. That's simple enough of a fix when my cert renews.

On another note, I wrote a script that works as a cron job in pfSense to update GoDaddy A records.

https://github.com/nkleck/Godaddy-DDNS.git

Its a bit simpler than some of the other options out there, but its written with libraries already available in pfsense FreeBSD python. So you dont have to worry about installing requests, its using urllib2 :-X . The usage is pretty straight forward in the cron job.

2 * * * * root /usr/local/bin/python2.7 /home/<your user="">/godaddy-ddns.py hostname.domain.tld

It also restarts HAProxy at the end of it if a change was detected. Not sure if its needed, as I found today the 'Reload behaviour' checkbox in HAProxy that might do the same thing.</your>

blarg3891 · Mar 9, 2017, 9:31 PM

Why dont you just use cname with a dyndns provider for your godaddy records so you dont have to update them? One of my domains dns is hosted with namecheap. Namecheap allows you to create your own free dyndns records. You would then go into godaddy and create a cname that points to this record. Setup dynamic dns in pfsense. Every time your IP is updated in pfsense, it will auto update the cname. I find this is the easiest method.

Your way works fine, i'm sure, just letting you know.

remis4 · Mar 10, 2017, 2:54 AM

I use namecheap for a domain i own. but im also hosting a FQDN for someone else, of which I do not have a choice, they are using godaddy.

jpns · Mar 23, 2017, 11:11 AM

Is domain ownership validation performed on every renewal, or only on the initial issuance?

yodaphone · Mar 23, 2017, 11:48 AM

@remis4:

I use namecheap for a domain i own. but im also hosting a FQDN for someone else, of which I do not have a choice, they are using godaddy.

AFAIK acme package doesnt work with Namecheap. so i move my dns to cloudflare (free account).

MikeV7896 · Mar 25, 2017, 1:49 AM

@jpns:

Is domain ownership validation performed on every renewal, or only on the initial issuance?

I'm pretty sure it's on every renewal, to make sure that if the domain were sold/traded, you can't still renew a certificate for that domain as the previous owner of it.

jimp · Mar 27, 2017, 3:40 PM

There is a grace period on the authz and beyond that it must revalidate. I can't remember the exact time limit, they keep lowering it as the service matures.

r0bb10 · Aug 6, 2017, 4:11 PM

@remis4:

So the ACME action section has THE example i was looking for to restart haproxy. That's simple enough of a fix when my cert renews.

On another note, I wrote a script that works as a cron job in pfSense to update GoDaddy A records.

https://github.com/nkleck/Godaddy-DDNS.git

Its a bit simpler than some of the other options out there, but its written with libraries already available in pfsense FreeBSD python. So you dont have to worry about installing requests, its using urllib2 :-X . The usage is pretty straight forward in the cron job.

2 * * * * root /usr/local/bin/python2.7 /home/<your user="">/godaddy-ddns.py hostname.domain.tld

It also restarts HAProxy at the end of it if a change was detected. Not sure if its needed, as I found today the 'Reload behaviour' checkbox in HAProxy that might do the same thing.</your>

hi, i saw you script for the DNS A record on Godaddy, is it possible to make it work to change the @ record? i'm just to dumb to figure out how to change it :|