Is there a systemd service that checks for a certificate validity and updates it?

Ghost CLI uses acme.sh to generate a certificate by LetsEncrypt, but the certificate is only valid for 90 days. I assume GhostCLI updates the certificate automatically. I’m wondering how it’s done. Is there a systemd service that checks for a certificate validity and updates it? If so, what’s its name?

@maxkoretskyi I responded to you in the github issue, but the forum is definitely a better place to ask!

There’s a cron job (root) set up that runs the acme renewal script:

3 2 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

This actually isn’t done by the CLI, rather it’s managed by the cert manager - https://acme.sh.

1 Like

Thanks a lot for your help! I have the following:

10 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null

which as I understand executes the command everyday of every month of every year at 00:10. Is it correct?

Yep, that’s correct! My go-to for interpreting crontab entries is https://crontab.guru/ :slight_smile:

To answer your question from the github issue, the reason ghost doesn’t set up a systemd timer is because ssl setup is almost fully managed by acme.sh. The cli gets the relevant information from you and runs the acme.sh script using said information

Got it, thanks a lot for your help! If you happen to know what the command acme.sh --cron --home "/etc/letsencrypt" > /dev/null does I’m very interested to learn it :blush:

The command calls acme.sh, which is the letsencrypt certificate manager, with 2 arguments - cron, which tells the script it’s being run as part of a cron job, and home ... which tells the script what home directory to use.

I think you’ll find the acme.sh docs extremely useful:

Got it, appreciate your answers!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.