profile
viewpoint
Jérémy Lecour jlecour @Evolix Marseille, France https://jeremy.lecour.fr Sysadmin, web developer, human and technical facilitator at @evolix. Not available for hire. He/him.

jlecour/breadcrumbs_on_rails 3

A simple Ruby on Rails plugin for creating and managing a breadcrumb navigation.

jlecour/ck_fu 2

Adds a development toolbar to your site that makes it easy to tell the difference between development, staging, and production.

Autrement/google_currency 1

Ruby Money::Bank interface for the Google Currency exchange data

jlecour/activewarehouse-etl 1

Extract-Transform-Load library from ActiveWarehouse

jlecour/acts-as-dag 1

Directed Acyclic Graph hierarchy for Rail's ActiveRecord models

jlecour/adapter_extensions 1

Adapter extensions for ActiveRecord

jlecour/amatch 1

Approximate String Matching library

jlecour/authlogic 1

A clean, simple, and unobtrusive ruby authentication solution.

jlecour/boolean 1

An object that represents truth

jlecour/chronic 1

Chronic is a pure Ruby natural language date parser.

PR opened brainsys-io/audit

Backport d'améliorations

Copie retour d'améliorations (syntaxe, typos, extraction de fonctions…) faites sur la base que tu avais écrite quand tu étais chez Evolix.

+78 -64

0 comment

1 changed file

pr created time in 12 days

push eventjlecour/audit

Jérémy Lecour

commit sha d2c436646059ceb94d2d3bde5ad95a2896181516

Backport d'améliorations Copie retour d'améliorations (syntaxe, typos, extraction de fonctions…) faites sur la base que tu avais écrite quand tu étais chez Evolix.

view details

push time in 12 days

GollumEvent

issue commentacmesh-official/acme.sh

Documentation : --install-cert vs. deploy scripts

Hi @Neilpang

Thanks for your answer. Initially I was disappointed because you've answered just a small part of my interrogations, but, I've tried to investigate based on your information and I've found the path to all my answers.

I had already tried to "install" a test cert in a target directory and noticed that the fine names and the reload command had been stored ib the certificate configuration file. This morning, I've tried to use the ssh deploy to copy the cert to a remote server over SSH. Obviously it worked, but the epiphany happend when I noticed that the deploy hook configuration had also been stored in the cert configuration :

Le_DeployHook='ssh,'
Le_Deploy_ssh_user='jlecour'
Le_Deploy_ssh_server='::1'
Le_Deploy_ssh_backup='yes'
Le_Deploy_ssh_backup_path='.acme_ssh_deploy'
Le_Deploy_ssh_keyfile='/tmp/prikey.pem'
Le_Deploy_ssh_fullchain='/tmp/fullchain.pem'

It show that the acme.sh --deploy --deploy-hook ssh […] has to be run once, and that many hooks can be configured to be run at renew-time.

So, I'll try to answer my own question and use cases.

From a server that responds to the example.com domain, I want to issue a certificate that I can use locally (with Apache for example), but also on a remote mail server (deployed over SSH).

# acme.sh --issue --domain www.example.com […]
# acme.sh --install-cert --domain www.example.com  --key-file /etc/apache2/ssl/www.example.com.privkey.pem --fullchain-file /etc/apache2/ssl/www.example.com.fullchain.pem --reloadcmd "systemctl reload apache2
# DEPLOY_SSH_USER=jlecour […] acme.sh --deploy --domain --deploy-hook ssh

Then at each renew, the install step and all the hooks will be executed.

In a setup with 2 load-balancers, I want to have one of them issue/renew certificates, that are locally deployed to HAProxy, but also deployed to HAProxy on the other load-balancer (over SSH).

After issuing the certificate, no need to install the cert, but an haproxy hook will set HAProxy locally, and an ssh hook will copy it on the second load-balancer.

I still have to figure how to execute the haproxy hook remotely.

A wildcard certificate issued/renewed on a server, but deployed over SSH on many remote servers (mail, FTP, web…).

Same as before : no instal step, but several ssh deploy hooks to copy the files on the remote servers.

I still have to figure out how to execute different scripts on remote servers.

jlecour

comment created time in a month

issue openedacmesh-official/acme.sh

Documentation : --install-cert vs. deploy scripts

Hi,

I'm currently trying to move from certbot to acme.sh and I have some difficulties to understand the differences betwen the --install-cert step and the deploy hooks that are available.

I understand that when a certificates has just been issued it simply exists inside acme.sh own directory and that we must not use them directly.

I understand that there is a single "install" profile (that we can see in the acme.sh/my-domain/my-domain.conf). This profile describes where the certificate/chain/key are stored and an optional reload command. It seems that the install action is "just" a couple of cat commands to copy the files into the desired destination and after them, the reload command is run. It seems that when the certificate is renewed, the same actions (cat and reload) happen automatically.

The deploy hooks seem to allow much more complex actions : copy the files over SSH, deploy combined files to HAProxy… If the reload logic is present in the deploy script then it's there, but for example the "apache" and "nginx" deploy scripts are empty.

I don't understand if and how the deploy scripts can be automatically run when a certificate is renewed. Should I create a custom script which runs all the deploy scripts I want (with the correct environment variables) and set it to run as "reloadcmd" ?

Here are a few complete examples that I have in mind :

  1. From a server that responds to the example.com domain, I want to issue a certificate that I can use locally (with Apache for example), but also on a remote mail server (deployed over SSH).
  2. In a setup with 2 load-balancers, I want to have one of them issue/renew certificates, that are locally deployed to HAProxy, but also deployed to HAProxy on the other load-balancer (over SSH).
  3. A wildcard certificate issued/renewed on a server, but deployed over SSH on many remote servers (mail, FTP, web…).

Thanks for your help

created time in a month

startedvarnishcache/varnish-devicedetect

started time in 2 months

more