Acme.sh and --deploy

Hi folks,

I have OpenWrt and acme.sh configured on my router, receiving a wildcard dns for my home domain (*.home.xxx). I'd like to push that same key/certificate to other devices on my home network whenever it is renewed, such as OpenWrt DumbAP, OpenMediaVault, IP cameras, etc. I understand that this is not ideal, but for me it is a reasonable compromise between security and leaking internal details to public registries (crt.sh certificate logs if I obtain a cert per device).

I have been unable to find a way to configure openwrt to invoke acme.sh and use any of the deploy options that it supports. Neither /etc/init.d/acme nor /usr/lib/run-acme even contain the word "deploy" in them at all.

Any suggestions?

tried cron ?

I haven't. I figured since acme.sh has the feature, it would be best to try and use that functionality.

acme have the option of scheduling, but i'm pretty sure it just adds itself to the crontab ...

Yes, I'm pretty sure it does just add itself to the crontab. To be absolutely clear, though, what I am asking about is this functionality: https://github.com/acmesh-official/acme.sh/wiki/deployhooks

1 Like

As there is no acme.sh deployhook package in openwrt, i downloaded manually the deployhook script i need from acme.sh wirh this script:

#!/bin/sh

# set export HTTPS_INSECURE=1 if cert is already gone
#export HTTPS_INSECURE=1
mkdir  /usr/lib/acme/client/deploy
curl https://raw.githubusercontent.com/acmesh-official/acme.sh/master/deploy/synology_dsm.sh -o /usr/lib/acme/client/deploy/synology_dsm.sh
#/usr/lib/acme/client/acme.sh --home /etc/acme/ --deploy -d *.joek.eu  --deploy-hook synology_dsm

If you run the deployhook once, acme.sh will save the infos in its own config and will run the hook on the normal daily cert renew.

I‘ve configured the openwrt backup to also backup the deployhook script so its still available after upgrade.

1 Like

Note that you might be better off security-wise by re-using the same key on renewals if the push to other devices is considered unsafe. Then you only need to distribute the key once, using some secure enough method.

Indeed. It's really just a matter of having the same cert+key deployed on multiple systems, ideally each should have their own key (imo).

However, if you can push a cert to a system, you can probably do other bad things, unless tightly locked down using e.g. ssh ForcedCommand controls. In which case, you could probably do that for the key as well.

Thanks, this seems like the closest to what I am after!

Have you found a way to include the --deploy-hook command line argument in the automated crontab/invocation of acme.sh? Or did you just edit run-acme directly?

as i stated. if you run the deployhook command once, acme.sh will do it on its own for the cert.