Orange /
CertsReissue
This document describes the solution to automatically generate certificates Let’s Encrypt. In this case, we will use an intermediate certificate, previously downloaded from the repository.
Create a dir with Let’s Encrypt certs:
doas mkdir /etc/ssl/letsencrypt doas wget https://letsencrypt.org/certs/isrgrootx1.pem -O /etc/ssl/letsencrypt/ISRG_X1.pem doas wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ssl/letsencrypt/R3.pem
Let’s Encrypt R3 cert expired date - Sep 15 16:00:00 2025 GMT
ISRG Root X1 cert expired date - Jun 4 11:04:38 2035 GMT
Creation of folders tree to store a certificate:
doas mkdir /etc/ssl/example.net doas mkdir /etc/ssl/example.net/private doas chmod 700 /etc/ssl/example.net/private
Adding a section with settings to acme client:
domain example.net { alternative names { www.example.net } domain key "/etc/ssl/example.net/private/example.key" domain certificate "/etc/ssl/example.net/example.crt" sign with letsencrypt challengedir "/var/www/acme" }
Certificate reissue script:
#!/bin/sh acme-client -Fv example.net || exit 1 # RelayD cat /etc/ssl/example.net/private/example.key > /etc/ssl/private/example.net.key cat /etc/ssl/example.net/example.crt > /etc/ssl/example.net.crt cat /etc/ssl/letsencrypt/R3.pem >> /etc/ssl/example.net.crt chown root:wheel /etc/ssl/private/example.net.key chown root:wheel /etc/ssl/example.net.crt chmod 400 /etc/ssl/private/example.net.key rcctl -d reload relayd
Record about the task in crontab:
10 1 1 * * /usr/local/libexec/orange/certs_reissue.sh >/dev/null 2>&1