Yep. That was the question. I've been hacking on dehydrated hook-scripts, and am pretty close to where I want to be.
I'm using DNS-01 challenge (so needed to write the handlers for that)
I find NSS databases to be a PITA, so in the deploy_cert handler, I'm
+ building a new NSS
+ importing the Let's Encrypt intermediates
+ importing the new cert and key under the expected name
Then I'll just replace the old NSS with the new
-- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston@xxxxxxxxxx Department of Administration State of Alaska
On 4/5/2023 10:32 AM, Rob Crittenden
wrote:
I think he was asking if a script exists that will work with ACME and NSS databases. It is quite a broad question because it does depend on the client used. I think I would use certbot and leave the private key and certificates in the flat filesystem and use a post-hook to stop 389, load the updated cert using certutil, restart 389. I'm lazy so after the first request I'd manually create a PKCS#12 out of it and load that into the 389 NSS db. All subsequent calls with the post-hook should work fine as long as the private key is retained. But I haven't tried it.
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
