Is there a systemd service that checks for a certificate validity and updates it?

#1

Ghost CLI uses acme.sh to generate a certificate by LetsEncrypt, but the certificate is only valid for 90 days. I assume GhostCLI updates the certificate automatically. I’m wondering how it’s done. Is there a systemd service that checks for a certificate validity and updates it? If so, what’s its name?

#2

@maxkoretskyi I responded to you in the github issue, but the forum is definitely a better place to ask!

There’s a cron job (root) set up that runs the acme renewal script:

3 2 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

This actually isn’t done by the CLI, rather it’s managed by the cert manager - https://acme.sh.

1 Like
#3

Thanks a lot for your help! I have the following:

10 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

which as I understand executes the command everyday of every month of every year at 00:10. Is it correct?

#4

Yep, that’s correct! My go-to for interpreting crontab entries is https://crontab.guru/ :slight_smile:

To answer your question from the github issue, the reason ghost doesn’t set up a systemd timer is because ssl setup is almost fully managed by acme.sh. The cli gets the relevant information from you and runs the acme.sh script using said information

#5

Got it, thanks a lot for your help! If you happen to know what the command acme.sh --cron --home "/etc/letsencrypt" > /dev/null does I’m very interested to learn it :blush:

#6

The command calls acme.sh, which is the letsencrypt certificate manager, with 2 arguments - cron, which tells the script it’s being run as part of a cron job, and home ... which tells the script what home directory to use.

I think you’ll find the acme.sh docs extremely useful:

#7

Got it, appreciate your answers!