TL;DR: How do I automatically renew certificates and import these into ADM Certificate Manager via CLI?
As the Lets Encrypt App currently provided by Asustor only supports http-01 challenge claims which requires ports 80 and 433 to be exposed, which I do not want, and not dns-01 challenge claims when handling certificates, I need to do a few thing manually.
So, I have generated a certificate via Lets Encrypt via dns-01 challenge using a domain provided by Duck DNS and a few shell scripts wrapping ght-acme.sh. This is fine, crt.sh shows the certificate is valid. Importing the certificate manually via ADM Certificate Manager is possible and the ADM Portal uses this well enough when the certificate is set as default.
I am planning on adding a cron job which attempts to renew the certificate once a month and the issue, however, is that I would like to be able to automatically import the renewed certificate into ADM Certificate Manager from the command line.
I have been digging around the system and the forums a little and it seem that:
- certificates handled via ADM Certificate Manager is referenced in /volume0/usr/builtin/etc/certificate/certificate.json and located in /volume0/usr/share/builtin/etc/certificate/ssl/ and perhaps that the default certificate is copied to /volume0/usr/share/builtin/etc/certificate/ (although with wrong permissions set). Lighttpd has symbolic links to the previously mentioned location as well, so I am guessing that I might be right.
/usr/builtin is a symbolic link to /volume0/usr/builtin/ as seem below
Code: Select all
$ ls -la /volume0/usr/etc/lighttpd/ | grep ssl lrwxrwxrwx 1 root root 38 Jul 12 22:34 lighttpd.chain -> /usr/builtin/etc/certificate/ssl.chain lrwxrwxrwx 1 root root 36 Jul 6 19:08 lighttpd.pem -> /usr/builtin/etc/certificate/ssl.pem
Code: Select all
$ ls -la /usr/builtin lrwxrwxrwx 1 root root 20 Jul 19 19:34 /usr/builtin -> /volume0/usr/builtin/
- There is a cron job defined which supposedly attempts to renew the default certificate
but I doubt this will work for dns-01 challenge claims as I do not think this is not supported currently. I have tried calling the binary with different arguments, --help/-h/h/help being some of them, without any response so currently I do not know if this could be used but I expect not. This seems to be a binary compiled perhaps from C, so it is not human readable.
Code: Select all
$ sudo crontab -l | grep certificate 0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert
- Digging through the libraries and files in /volume0/usr/builtin/webman (the web application used in ADM Portal) is seems that the application is making client side calls to /volume0/usr/builtin/webman/portal/certificate.cgi. What language this is written in I do not know, assuming something like perl or C, but the few human readable parts indicates that Asustor could be using acmesh-official internally.
Remove the Asustor supported Lest Encrypt app. Manually generate a certificate and manually import this into ADM Certificate Manager. Set up my own of certificate renewal scripts via cron which also restarts all services/containers/app etc. as needed. Finally, just live with the fact that I cannot import the renewed certificate into ADM Certificate Manager automatically from CLI. However, this does feel like an ugly hack to me.
At this point I am open for suggestions.