Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic TLS certificate renewal using acme.sh #92

Open
Dantevg opened this issue Mar 4, 2024 · 0 comments
Open

Automatic TLS certificate renewal using acme.sh #92

Dantevg opened this issue Mar 4, 2024 · 0 comments
Labels
backend Related to the Spigot plugin enhancement New feature or request size: medium A feature or fix that is inbetween large and small

Comments

@Dantevg
Copy link
Owner

Dantevg commented Mar 4, 2024

This feature builds further on #23, by adding the functionality to work with acme.sh to automatically renew a TLS certificate to be used for WebStats HTTPS support. The reason to implement this in WebStats and not in a third-party plugin is just for convenience: I don't really want people to need to install a separate plugin to enable full automatic no-hassle HTTPS support.

Note to readers: I don't actually know if this will work this way because I have not tested it yet.

To do this, a new command along the lines of /webstats renew-certificate will be added. Either the user can set up a recurring task with their server software to run this command, or WebStats could provide a way to run this command periodically.

Renewal command behaviour

1. Install

  • No acme.sh in plugin directory yet (first use):
    1. Download latest acme.sh to plugin directory
    2. Install(?) with acme.sh --install [...] (see advanced installation resource)
  • acme.sh already present:
    1. Update with acme.sh --upgrade1

2. Issue or renew certificate

  • No certificate yet:
    1. Issue a new certificate: acme.sh --issue --dns dns_duckdns -d mydomain.duckdns.org -d *.mydomain.duckdns.org2
  • Certificate present already:
    1. Renew cerfificate: acme.sh --renew -d example.com --force3

3. Convert certificate file

If the renewal was successful, we probably need to convert the generated files into a usable format with acme.sh --toPkcs -d <domain> [--password pfx-password]4

TODO: find out whether this is necessary.

4. Restart WebStats

Restart WebStats when acme.sh shell script has finished running.

Maybe: read the script's output to detect whether certificate renewal was successful, and display any errors in the server's console. TODO: figure out the output format of acme.sh

Config file

Something along these lines:

https: # already present
  # ...

  # The domain name to issue a TLS certificate for
  domain: mydomain.duckdns.org

  # The email address for Let's Encrypt
  email: example@example.com

Resources

Footnotes

  1. https://github.com/acmesh-official/acme.sh?tab=readme-ov-file#14-how-to-upgrade-acmesh

  2. https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_duckdns

  3. https://github.com/acmesh-official/acme.sh?tab=readme-ov-file#12-how-to-renew-the-certs

  4. https://github.com/acmesh-official/acme.sh/wiki#3-how-to-get-pkcs12pfx-format

@Dantevg Dantevg added enhancement New feature or request size: medium A feature or fix that is inbetween large and small backend Related to the Spigot plugin labels Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend Related to the Spigot plugin enhancement New feature or request size: medium A feature or fix that is inbetween large and small
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Dantevg