I have OpenWrt and acme.sh configured on my router, receiving a wildcard dns for my home domain (*.home.xxx). I'd like to push that same key/certificate to other devices on my home network whenever it is renewed, such as OpenWrt DumbAP, OpenMediaVault, IP cameras, etc. I understand that this is not ideal, but for me it is a reasonable compromise between security and leaking internal details to public registries (crt.sh certificate logs if I obtain a cert per device).
I have been unable to find a way to configure openwrt to invoke acme.sh and use any of the deploy options that it supports. Neither /etc/init.d/acme nor /usr/lib/run-acme even contain the word "deploy" in them at all.
Note that you might be better off security-wise by re-using the same key on renewals if the push to other devices is considered unsafe. Then you only need to distribute the key once, using some secure enough method.
Indeed. It's really just a matter of having the same cert+key deployed on multiple systems, ideally each should have their own key (imo).
However, if you can push a cert to a system, you can probably do other bad things, unless tightly locked down using e.g. ssh ForcedCommand controls. In which case, you could probably do that for the key as well.
Thanks, this seems like the closest to what I am after!
Have you found a way to include the --deploy-hook command line argument in the automated crontab/invocation of acme.sh? Or did you just edit run-acme directly?