Ghost CLI uses
acme.sh to generate a certificate by LetsEncrypt, but the certificate is only valid for 90 days. I assume GhostCLI updates the certificate automatically. I’m wondering how it’s done. Is there a
systemd service that checks for a certificate validity and updates it? If so, what’s its name?
Ghost CLI uses
@maxkoretskyi I responded to you in the github issue, but the forum is definitely a better place to ask!
There’s a cron job (root) set up that runs the acme renewal script:
3 2 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
This actually isn’t done by the CLI, rather it’s managed by the cert manager - https://acme.sh.
Thanks a lot for your help! I have the following:
10 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
which as I understand executes the command everyday of every month of every year at
00:10. Is it correct?
Yep, that’s correct! My go-to for interpreting crontab entries is https://crontab.guru/
To answer your question from the github issue, the reason ghost doesn’t set up a systemd timer is because ssl setup is almost fully managed by acme.sh. The cli gets the relevant information from you and runs the acme.sh script using said information
Got it, thanks a lot for your help! If you happen to know what the command
acme.sh --cron --home "/etc/letsencrypt" > /dev/null does I’m very interested to learn it
The command calls
acme.sh, which is the letsencrypt certificate manager, with 2 arguments -
cron, which tells the script it’s being run as part of a cron job, and
home ... which tells the script what home directory to use.
I think you’ll find the acme.sh docs extremely useful:
Got it, appreciate your answers!