Yep. That was the question. I've been hacking on /dehydrated
/hook-scripts, and am pretty close to where I want to be.
I'm using DNS-01 challenge (so needed to write the handlers for that)
I find NSS databases to be a PITA, so in the deploy_cert handler, I'm
+ building a new NSS
+ importing the Let's Encrypt intermediates
+ importing the new cert and key under the expected name
Then I'll just replace the old NSS with the new
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 4/5/2023 10:32 AM, Rob Crittenden wrote:
I think he was asking if a script exists that will work with ACME and
NSS databases. It is quite a broad question because it does depend on
the client used.
I think I would use certbot and leave the private key and certificates
in the flat filesystem and use a post-hook to stop 389, load the updated
cert using certutil, restart 389.
I'm lazy so after the first request I'd manually create a PKCS#12 out of
it and load that into the 389 NSS db. All subsequent calls with the
post-hook should work fine as long as the private key is retained.
But I haven't tried it.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
