CertsReissue

This document describes the solution to automatically generate certificates Let’s Encrypt. In this case, we will use an intermediate certificate, previously downloaded from the repository.

Create a dir with Let’s Encrypt certs:

doas mkdir /etc/ssl/letsencrypt
doas wget https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/ssl/letsencrypt/ISRG_X1.pem
doas wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ssl/letsencrypt/R3.pem

Let’s Encrypt R3 cert expired date - Sep 15 16:00:00 2025 GMT
ISRG Root X1 cert expired date - Jun 4 11:04:38 2035 GMT

Creation of folders tree to store a certificate:

doas mkdir /etc/ssl/example.net
doas mkdir /etc/ssl/example.net/private
doas chmod 700 /etc/ssl/example.net/private

Adding a section with settings to acme client:

domain example.net {
        alternative names { www.example.net }
        domain key "/etc/ssl/example.net/private/example.key"
        domain certificate "/etc/ssl/example.net/example.crt"
        sign with letsencrypt
        challengedir "/var/www/acme"
}

Certificate reissue script:

#!/bin/sh

acme-client -Fv example.net || exit 1

# RelayD
cat /etc/ssl/example.net/private/example.key > /etc/ssl/private/example.net.key
cat /etc/ssl/example.net/example.crt > /etc/ssl/example.net.crt
cat /etc/ssl/letsencrypt/R3.pem >> /etc/ssl/example.net.crt
chown root:wheel /etc/ssl/private/example.net.key
chown root:wheel /etc/ssl/example.net.crt
chmod 400 /etc/ssl/private/example.net.key

rcctl -d reload relayd

Record about the task in crontab:

10      1       1       *       *       /usr/local/libexec/orange/certs_reissue.sh >/dev/null 2>&1