When I was first reviewing the script, I was puzzled about how the /etc/cert.pem and /etc/key.pem play into the equation as you are right - /etc is tempfs filesystem. I came to the conclusion that Asus, during bootup, copies the cert/key into the /etc from somewhere.
In the end, I only used this code to copy the ZeroSSL cert and key into the required location to use https for the GUI;
Code:
if [ "${d}" = "RTAC86U" ]; then
for p in "/jffs/ssl" "/jffs/.cert" "/etc"; do
[ -d "$p" ] && \
cp /opt/home/keys/cert.pem ${p}/cert.pem && \
cp /opt/home/keys/key.pem ${p}/key.pem
done
nvram set le_enable=2 # Sets DDNS SSL Certificate in WAN/DDNS to "Import"
nvram set https_crt_save=1
nvram set https_crt_file=""
service restart_httpd 1>&2 > /dev/null
nvram commit
echo "Finished updating Router GUI certificate stores" >> "${LOGDIR}"
fi
Which copies the cert/key files into /jffs/ssl and /jffs/.cert as well as /etc. So, I am assuming that on bootup, the keys are copied from either /jffs/ssl or /jffs/.cert into /etc.
I don't know the difference between /jffs/ssl and /jffs/.cert. I assume one if for the GUI SSL and the other is for DDNS?? As it is only an assumption, I played it safe and copied to both. I don't use DDNS due to my CGNAT issue, so it does not hurt anything for me to copy to both.
Here is my final cert renewal script that runs at 0020 hours daily
Code:
#!/bin/sh
# Command line variables
#
# $1 = force - will force certificate renewals
SCRIPTNAME="ACME Renew"
LOGDIR="/opt/var/log/acme.log"
# ache.sh error codes
# 0: certificate request successful
# 1: certificate request failed
# 2: certificate still valid, request skipped
# Valid only on --renew. --cron will return 0 if current certificate is valid
[ "$1" = "force" ] && FORCE="--force" || FORCE=""
rm /tmp/cert-renewal.txt
for d in "RTAC86U.YOUNGIND.CA" "YOUNGIND.CA"; do
logger -c -t ACME.SH "Checking RTAC86U certificate to see if it needs renewing"
/opt/home/acme/acme.sh --home /opt/home/acme --renew ${FORCE} --domain ${d} >> /tmp/cert-renewal.txt
RST="$?"
echo "$(date) - Acme.sh Return code is ${RST}"
case "${RST}" in
0)
logger -t "${SCRIPTNAME}" "Certificate ${d} Renewed .... Restarting httpd"
echo "$(date) - ACHE.SH" "Certificate ${d} Renewed .... Restarting httpd" >> "${LOGDIR}"
if [ "${d}" = "RTAC86U" ]; then
for p in "/jffs/ssl" "/jffs/.cert" "/etc"; do
[ -d "$p" ] && \
cp /opt/home/keys/cert.pem ${p}/cert.pem && \
cp /opt/home/keys/key.pem ${p}/key.pem
done
nvram set le_enable=2 # Sets DDNS SSL Certificate in WAN/DDNS to "Import"
nvram set https_crt_save=1
nvram set https_crt_file=""
service restart_httpd 1>&2 > /dev/null
nvram commit
echo "Finished updating Router GUI certificate stores" >> "${LOGDIR}"
fi
echo "$(date) - ${d} SSL Certificate has been renewed" >> "${LOGDIR}"
echo "$(date)" > /tmp/certmail.txt
echo "" >> /tmp/certmail
echo "Acme SSL Security Certificate Renewal System Message" >> /tmp/certmail.txt
echo "INFORMATION - Certificate ${d} has been renewed" >> /tmp/certmail.txt
/jffs/addons/young/smail.sh "/tmp/certmail.txt" "INFO - SSL Cert ${d} has been renewed"
;;
1)
logger -t "${SCRIPTNAME}" "${d} Certificate Renewal Failed"
echo "$(date) - Certificate Renewal Failed for certificate ${d}" >> "${LOGDIR}"
echo "$(date)" > /tmp/certmail.txt
echo "" >> /tmp/certmail
echo "Acme SSL Security Certificate Renewal System Message" >> /tmp/certmail.txt
echo "WARNING - Failed to renew the SSL Certificate ${d}" >> /tmp/certmail.txt
/jffs/addons/young/smail.sh "/tmp/certmail.txt" "WARNING - Router SSL Cert ${d} Renewal Failed"
;;
2)
logger -t "${SCRIPTNAME}" "Certificate ${d} is still valid, nothing done"
echo "$(date) - Certificate Renewal request done - certificate ${d} still valied, nothing done" >> "${LOGDIR}"
;;
esac
done