Tiny wrapper around Lego to handle automatic cert renewal. https://git.fennell.dev/acme/atom?h=master 2025-12-31T22:50:30Z 2025-12-31T22:50:30Z Matthew Fennell matthew@fennell.dev 2025-12-31T22:50:30Z urn:sha1:a13db6968d94306b2bd92d1462abd95bb738d17b DNS is now managed by Mythic Beasts for all domains - the desec variables are no longer used or needed. 2025-12-29T01:49:30Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:29:43Z urn:sha1:04cc00076fb4c74feef47f45c60ed7808c8f6296 lego will by default use the current directory to look for accounts/keys. That makes sense if you want to keep deployments separated, but in my case, I have a single deployment and want to be able to run the command from anywhere. 2025-12-29T01:49:09Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:26:32Z urn:sha1:640c940f23b9a43c84250ff834d54394a074a16f Hopefully I'll do a better job of keeping the files in sync now. 2025-12-29T01:48:48Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:12:04Z urn:sha1:4fc629331664fb9a2829112f0276c9bfe44a2121 Historically, this script only allowed renewal. This would break whenever subdomains were added to or removed from the config file, since, when renewing a certificate, the subdomains must remain the same as last time. I got around this by manually modifying the script each time I had to create a new cert. That's risky though, so introduce the structure to allow this to be passed from the terminal. 2025-12-29T01:48:27Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:06:30Z urn:sha1:f55564b0c5c0791c31b2c14351a7635d23ea0469 I would like different domains to have different renew-days, so that the certs for different domains do not always update on the same day as each other. This prevents a worst-case scenario where all domains break on one day. 2025-12-29T01:48:06Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:04:00Z urn:sha1:93cf32f25aa5faf62e8864a68d998ef2baafcf30 If we are renewing via DNS-01, we need to make sure to reuse the same key - otherwise, we will need a different hash to be propagated via DNS, which reuqires multiple days for a proper rollover. DANE will break if this rollover is not done. 2025-12-29T01:47:45Z Matthew Fennell matthew@fennell.dev 2025-12-28T20:02:24Z urn:sha1:da6ba6ddb6c55ca685b59880b078ccea31d7ec19 I will be adding more flags to this list, and it will get too long for one line. 2025-12-29T01:47:22Z Matthew Fennell matthew@fennell.dev 2025-12-28T19:42:04Z urn:sha1:33da4e3f920515bb4341953a5f350fe83b9e8d59 This is used to determine the letsencrypt endpoint to hit. I used to have a single variable for the endpoint, and I would uncomment the prod or nonprod endpoint depending on the circumstances. The two endpoints are given in separate variables in the config file: acme_server_nonprod and acme_server_prod. Likewise, the renew_script variable has been split into renew_script_nonprod and renew_script_prod. Choose between them using the argument. 2025-12-29T01:46:33Z Matthew Fennell matthew@fennell.dev 2025-12-28T18:37:20Z urn:sha1:d00d1009e056b4771f953b4c53c4d07545d9cd5b We now have different domains managed by different DNS providers. Select the provider per-domain based on the config file. 2025-12-29T01:46:12Z Matthew Fennell matthew@fennell.dev 2025-12-28T18:34:03Z urn:sha1:9170e9823d29f9488ee3a6dd796ca8a66f25edf8 mercuric.uk is now using Mythic Beasts instead of deSEC for DNS, and I'll be moving the other domains shortly. As a result, I would like to be able to select between providers them in the config file. As a first step towards supporting Mythic Beasts, pass the API key ID and secret to lego. We can do this in all circumstances: it will be unused if we don't specify mythicbeasts when the command is invoked.