Comments (3)
Thanks for making the effort to document this.
I've looked into it and here are my thoughts:
My first reaction was to to add the --set-default-ca --server ${DEFAULT_CA}
to each call of renew
or forcerenew
. But doing this could lead to a situation where someone who issues multiple certificates (some from LE, others from ZeroSSL) is forcing only one issuer on all certs - that would not work, either, as it would try renewing a ZeroSSL certificate with a fall to LetsEncrypt, for example.
Usually, I'd expect acme.sh
to pull the right issuer for an existing certificate from the <certname>/<certname>.conf
file, using the Le_API='https://acme-v02.api.letsencrypt.org/directory'
variable.
In your case, it seems(!) like the original certificate was issued using ZeroSSL, in that case "defaultca" is not applied but the "initially used" is being applied.
That's my best guess for now, therefore I suggest to not change anything right now but rather have a look in about 9 weeks if your cert "auto-updates" OK or not.
But, during todays research I noticed that it should be wise to pull the latest image for acme.sh before running it, so I will implement that separately.
from ubios-cert.
Thanks.
I didn't know about the <certname>/<certname>.conf
file. Interestingly, mine starts with an undocumented e_API
variable:
e_API='https://acme-v02.api.letsencrypt.org/directory'
Le_API='https://acme-v02.api.letsencrypt.org/directory'
The /mnt/data/ubios-cert/acme.sh/account.conf
also has
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'
I have never used ZeroSSL and there were no references to ZeroSSL in any of the above 3 files.
I'm wondering if an update to acme.sh is causing it to default to ZeroSSL and something is interfering with its ability to fallback to Let's Encrypt.
Your suggestion to wait 9 weeks makes sense. And I can appreciate the caution in not wanting to force the DEFAULT_CA
variable from the ubios-cert.env
file over a renewal.
from ubios-cert.
the "e_API" seems to be some kind of "mistake" with the "L" being cut off... it should safe to just delete that line.
acme.sh switched to ZeroSSL as default CA in August 2021, anything issued after that date, using acme.sh V3.0, and without having set a default CA, got issued by ZeroSSL. So that may have been the case, in your case, but we'll probably never know as the old certificate will be gone by now.
DEFAULT_ACME_SERVER
is set by --set-default-ca
, and Le_API
is set by either that DEFAULT_ACME_SERVER
or a dedicated --server
argument, to be chosen from this list.
from ubios-cert.
Related Issues (20)
- Cron job now requires the user to be specified HOT 3
- UDM pro upgraded to 2.x uses /data not /mnt/data HOT 3
- /mnt/data still hardcoded in ubios-cert.sh and 99-ubios-cert.sh HOT 2
- Script issues - support for UDMPro v2.4.23 HOT 2
- Issue with wildcard domains HOT 1
- Intermediate Chain Certificate for Guest Portal HOT 12
- Cloudflare not registrering - api not applied correctly HOT 1
- Add OVH as a DNS provider HOT 2
- No such file or directory when running cd ${DATA_DIR}/ubios-cert HOT 7
- Captive Portal HOT 3
- Can't open /data/unifi-core/config/unifi-core.crt for reading, No such file or directory HOT 2
- Curl Error HOT 2
- Email Notification HOT 2
- UNVR Support HOT 6
- Copying `unifi-core-direct.crt` and `unifi-core-direct.key` is causing DNS for my domain to resolve to UDM console login HOT 7
- Guest portal cert doesn't seem to be updating. HOT 3
- missing keytool? HOT 2
- Minor error in README.MD? HOT 3
- FW 3.2.7 breaks RADIUS certificates HOT 25
- FW 3.2.7 breaks custom web certificates HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubios-cert.