Jail: cert

one time

zfs create ship/certs

create jail

export JAIL=cert
export JAILHOSTNAME=cert
export JAILDOMAIN=ahlawat.com
export JAILIP=12
export JAILUSER=X
export JAILUSERID=1000
export JAILUSERVNC=false

/root/FreeBSD/jails/create.sh $JAIL $JAILHOSTNAME $JAILDOMAIN $JAILIP $JAILUSER $JAILUSERID $JAILUSERVNC

iocage fstab -r $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs rw 0 0
iocage fstab -l $JAIL

iocage exec $JAIL "pkg install -y curl"

iocage exec $JAIL "curl https://get.acme.sh -o /tmp/get-acme.sh"
iocage exec $JAIL "sh /tmp/get-acme.sh"
iocage exec $JAIL "rm /tmp/get-acme.sh"

//restore previous backup
iocage exec $JAIL "cp /mnt/certs/secret/.acme.sh/account.conf /root/.acme.sh/"
iocage exec $JAIL "cp -r /mnt/certs/secret/.acme.sh/ca /root/.acme.sh/"
iocage exec $JAIL "cp -r /mnt/certs/secret/.acme.sh/ahlawat.com /root/.acme.sh/"
iocage exec $JAIL "cp -r /mnt/certs/secret/.acme.sh/beyondbell.com /root/.acme.sh/"
iocage exec $JAIL "cp -r /mnt/certs/secret/.acme.sh/diyit.org /root/.acme.sh/"
iocage exec $JAIL "cp -r /mnt/certs/secret/.acme.sh/xflow.org /root/.acme.sh/"
iocage exec $JAIL "sh /root/.acme.sh/acme.sh --renew-all"
//

iocage console cert

# crontab -l
4 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
8 0 * * * /usr/local/bin/curl --time-cond "/mnt/certs/cacert.pem" -o /mnt/certs/cacert.pem https://curl.se/ca/cacert.pem

Notes:

// First time

export NS1_Key="KEY"

/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_nsone -d ahlawat.com -d *.ahlawat.com --challenge-alias xflow.org --fullchain-file /mnt/certs/fullchain.pem --key-file /mnt/certs/privkey.pem --reloadcmd "cat /mnt/certs/fullchain.pem /mnt/certs/privkey.pem > /mnt/certs/haproxy.pem; chmod 600 /mnt/certs/privkey.pem; cp /mnt/certs/privkey.pem /mnt/certs/privkeyr.pem; chmod 644 /mnt/certs/privkeyr.pem; cp -r /root/.acme.sh /mnt/config/"

/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_nsone -d beyondbell.com -d *.beyondbell.com --challenge-alias xflow.org --fullchain-file /mnt/certs/bbfullchain.pem --key-file /mnt/certs/bbprivkey.pem --reloadcmd "cat /mnt/certs/bbfullchain.pem /mnt/certs/bbprivkey.pem > /mnt/certs/bbhaproxy.pem; chmod 600 /mnt/certs/bbprivkey.pem; cp /mnt/certs/bbprivkey.pem /mnt/certs/bbprivkeyr.pem; chmod 644 /mnt/certs/bbprivkeyr.pem; cp -r /root/.acme.sh /mnt/config/"

/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_nsone -d diyit.org -d *.diyit.org --challenge-alias xflow.org --fullchain-file /mnt/certs/diyfullchain.pem --key-file /mnt/certs/diyprivkey.pem --reloadcmd "cat /mnt/certs/diyfullchain.pem /mnt/certs/diyprivkey.pem > /mnt/certs/diyhaproxy.pem; chmod 600 /mnt/certs/diyprivkey.pem; cp /mnt/certs/diyprivkey.pem /mnt/certs/diyprivkeyr.pem; chmod 644 /mnt/certs/diyprivkeyr.pem; cp -r /root/.acme.sh /mnt/config/"

/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_nsone -d xflow.org -d *.xflow.org --challenge-alias xflow.org --fullchain-file /mnt/certs/xflowfullchain.pem --key-file /mnt/certs/xflowprivkey.pem --reloadcmd "cat /mnt/certs/xflowfullchain.pem /mnt/certs/xflowprivkey.pem > /mnt/certs/xflowhaproxy.pem; chmod 600 /mnt/certs/xflowprivkey.pem; cp /mnt/certs/xflowprivkey.pem /mnt/certs/xflowprivkeyr.pem; chmod 644 /mnt/certs/xflowprivkeyr.pem; cp -r /root/.acme.sh /mnt/config/"

cp -r /root/.acme.sh /mnt/certs/secret/

//


https://github.com/Neilpang/acme.sh/tree/master/dnsapi - using ns1 - nsone - https://my.nsone.net/#/zones
https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

https://curl.haxx.se/docs/caextract.html

diyIT.org

Showcased here is a capital and operational cost effective approach, using minimal server and networking hardware with multiple virtualized applications for Home and Business. This solution template can be easily scaled out and adapted for larger Enterprise deployments.

Contact Info

drop by the diyIT Matrix public room at #diyit:matrix.ahlawat.com
if you have any IT questions/feedback or to request pro bono consulting for a nonprofit

message me privately at @sharad:matrix.ahlawat.com
or email me at - sharad@ahlawat.com - pgpkey: 68DD6B89

About Me

Networking and Security Technologist.
Engineer and an avid Programmer.

https://sharad.ahlawat.com

My Philosophy

strive to learn and pass on the knowledge to the next generation
one day humanity will understand the meaning of life and hopefully it will be more than ASCII 42 = "*" regex for whatever you want it to be,
and destiny is more than just a roll of a pair of dice with 42 dots (Lets nail down Quantum Entanglement)

May you Live Long (Intelligently) and Prosper and work on technology that matters.