Re: acme-client config grammar improvements

Fri, 24 Jul 2020 08:11:46 -0700 

On Fri, Jul 24, 2020 at 10:47 AM Florian Obser <[email protected]> wrote:

> On Thu, Jul 16, 2020 at 07:40:35AM +0200, Daniel Eisele wrote:
> > Also it would be nice to have a feature to update all domains of the
> > config file. I currently do that in a shell script by parsing the output
> > of acme-client -nv with sed and then calling acme-client multiple times.
> >
> > Maybe an easy solution would be an option that prints the list of all
> > domains, so I can avoid the sed parsing, as this is prone to breaking.
>
> I'm not opposed to that. You will probably need to output some form of
> csv.
>
> Consider this:
>
> domain handle1-example.com {
>         domain name example.com
>         alternative names { www.example.com secure.example.com }
>         domain key "/etc/ssl..." rsa
> }
> domain handle2-example.com {
>         domain name example.com
>         alternative names { mail.example.com }
>         domain key "/etc/ssl..." ecdsa
> }
>
> Should it be output like this?
>
> handle1-example.com; example.com; www.example.com, secure.example.com
> handle2-example.com; example.com; mail.example.com
>
> Or this?
>
> handle1-example.com; example.com; www.example.com
> handle1-example.com; example.com; secure.example.com
> handle2-example.com; example.com; mail.example.com
>
>
> >
> > Another solution is obviously to just add an "update all" command line
> > option (or maybe even in the config?), but that is probably more
> > complicated to implement.
>
> I'm more worried that you will very soon end up with some form of exec
> plugin mechanism. Typically you need to do something when a cert is
> renewed (restart daemon).
>
> My acme-client.conf is generate by a config management system which
> also creates individual cronjobs for each renew job and knows how to
> handle a cert renew.
>
> >
> > What do you think about that?
> >
>

A management system may auto reload services when the configuration files
changes , an update all would be convenient.

Moreover

Acme-client update && rcctl reload nginx

Once a week is easy , as acme-client will not return 0 if nothing is
changed .




> --
> I'm not entirely sure you are real.
>
> --
--
---------------------------------------------------------------------------------------------------------------------
Knowing is not enough; we must apply. Willing is not enough; we must do

Reply via email to