Various Services need their certificates installed two different locations, and some of them need some changes. There are a few that I make changes to from the default.
Emby
Emby needs pks file, to convert cert key cert and ca are needed
Set deploy location
ACME_BIN="~/.acme.sh/acme.sh"SERVER="emby.ramsden.network"CERT_DEPLOY_DIR="/mnt/certs"# CertsCERT="${SERVER}.cer"KEY="${SERVER}.key"CA="ca.cer"PKCS="${SERVER}.pfx"# Set deploy location:acme.sh--installcert-d"${SERVER}" \--certpath"${CERT_DEPLOY_DIR}/${SERVER}/${CERT}" \--keypath"${CERT_DEPLOY_DIR}/${SERVER}/${KEY}" \--capath"${CERT_DEPLOY_DIR}/${SERVER}/${CA}"# Convert to pkcsopensslpkcs12-export-out ${CERT_DEPLOY_DIR}/${SERVER}/${PKCS} \-inkey ${CERT_DEPLOY_DIR}/${SERVER}/${KEY} \-in ${CERT_DEPLOY_DIR}/${SERVER}/${CERT} \-certfile ${CERT_DEPLOY_DIR}/${SERVER}/${CA} \-passoutpass:
Install directory in jail: /var/db/emby-server/ssl
Cron:
Crontab from freenas:
You probably want to renew starts on a crontab so they get done every month. I use the following script to renew my various services:
#!/bin/sh# letsencrypt Jaille_jail="letsencrypt"le_user="acme"cert_db="/mnt/tank/data/database/letsencrypt/certs"jail_db="/mnt/tank/data/database"# Cloudflare accountexport CF_Email=""export CF_Key=""############# MAIN CODE #############convert_pkcs(){ server="${1}" pass="${2}" out_name="${3}" key="${4}" cert="${5}" ca="${6}"echoecho"Generating pkcs for ${server}"echo"to ${cert_db}/${server}/${out_name}"opensslpkcs12-export-out"${cert_db}/${server}/${out_name}" \-inkey ${cert_db}/${server}/${key} \-in ${cert_db}/${server}/${cert} \-certfile ${cert_db}/${server}/${ca} \-passout ${pass}}# Install to jail, locations relative to jail db# eg# deploy "emby/ssl" "letsencrypt/certs" "media" "media" "660"deploy(){ server="${1}" deploy_location="${2}" owner="${3}" group="${4}" perms="${5}"echoecho"Installing certs for: ${server}"echo"with deploy location: ${deploy_location}"# Install certs to {}find"${cert_db}/${server}/"-typef \-execinstall-b-m ${perms} \-o ${owner} -g ${group} {} ${deploy_location} \;}# Run acme in jail to check if certs need renewing, if so renewiocageexec--jail_user ${le_user} ${le_jail} /bin/sh-c \'acme.sh --cron --force --home "/var/db/acme/.acme.sh"'# convert emby's key to pkcsconvert_pkcs"emby.ramsden.network""pass:" \"emby.ramsden.network.pfx" \"emby.ramsden.network.key" \"emby.ramsden.network.cer" \"ca.cer"# deploy emby's certsdeploy"emby.ramsden.network" \"${jail_db}/emby/emby-server/ssl/" \"media""media""770"# Restart embyiocageexecemby/bin/sh-c'service emby-server restart'# deploy lilan's certs? Saved in /etc/certificates#install -b -B ".old-`date +%Y-%m-%d-%H:%M:%S`" -m 400 -o root -g wheel \#/mnt/tank/data/database/letsencrypt/certs/lilan.ramsden.network/Lilan_s_LetsEncrypt_Certificate.key \#/etc/certificates#deploy "lilan.ramsden.network" \# "/etc/certificates" \# "root" "wheel" "400"echoecho"Finished deploying keys"