Certs aren't that big so you can keep them. But you can delete them with the
rm -rf /etc/ssl/acme/*
bad advise, since it'd delete all certs ...
acme.sh can't see my certs if I run /usr/lib/acme/client/acme.sh directly (I have no idea how to set the same flags as the OpenWrt acme.sh service).
I guess I will just remove the relevant certs in /etc/ssl/acme/ manually, as stokito mentioned.
Hello eveyone,
I'm trying to set up a Certificate for my DuckDNS DDNS domain but with no luck.
I have everything set up right, but no certificate is generated. If I manually run /etc/init.d/acme renew I see that I have an error creating the account with the email that ends in example.org. I specifically put my email there, so how it tries to create the account with the default email???
On the payload I see the wrong email but I don't know how to change this.
Here's my /etc/config/acme:
config acme
option account_email '[my EMAIL]'
option debug '1'
config cert 'duckdns_org'
option enabled '1'
list domains '[mydomain].duckdns.org'
list domains '*.[mydomain].duckdns.org'
option validation_method 'dns'
option dns 'dns_duckdns'
list credentials 'DuckDNS_Token="[my token]"'
option staging '0'
Any hints?
EDIT: I had to edit the file ca.conf in /etc/acme/ca/directory/(dontrememberthename)/ca.conf with my correct email and now it works.
After successfully obtaining the certificate for the first time, I modified /etc/hotplug.d/acme/01-mosquitto to automate the update of my MQTT service certificate. The script looks something like this; you can refer to it and modify it to suit your own needs.
#!/bin/sh
. /lib/functions/service.sh
# for debug
logger -p user.info -t acme.sh "===== ${ACTION} ${EVENT} ====="
if [ "ACTION" = "issued" ]; then
logger -p user.info -t acme.sh "acmesh issued event ..."
fi
if [ "$ACTION" = "renewed" ]; then
logger -p user.info -t acme.sh "acme cert renewed,update mosquitto certificate."
# put cert to mosquitto spical path
cp /etc/acme/spender.men/ca.cer /etc/mosquitto/certs/
cp /etc/acme/spender.men/combined.cer /etc/mosquitto/certs/
cp /etc/acme/spender.men/fullchain.cer /etc/mosquitto/certs/
cp /etc/acme/spender.men/spender.men.cer /etc/mosquitto/certs/
cp /etc/acme/spender.men/spender.men.key /etc/mosquitto/certs/
chown -R mosquitto:mosquitto /etc/mosquitto/certs
/etc/init.d/mosquitto restart
logger -p user.info -t acme.sh "push server cert to other host ..."
# some push command...
# ...
logger -p user.info -t acme "acme cert renewed, Restart uhttp service ..."
/etc/init.d/uhttp restart
fi
I remade scripts around uacme to be able to used with acme-common
https://github.com/openwrt/packages/pull/27831
merged with snapshot.
by default acme metapackage will install acme.sh, but it can be satisfied with uacme if uacme is installed earlier.
Okay ive been messing with Acme this weekend and saw some strange things like Trailing spaces of tokens, which invalidated my authentication process. i am now running into an issue with Debug mode being enabled back end. Is ACME being worked on at the moment?
Okay i found that i had to Vi /etc/config/acme and change the Option Debug '0' instead of the 1 that was default. it was causing the .sh function checks for both "UPDATED" and "OK" in verbose mode . .
Okay i found the FINAL issue. Adgaurd needed to whitelist cloudflare-dns so the DOH could verify to get my cert out T_T. but the trailing spaces and the Debug set were real! i swear!