DigitalOcean

Report this

What is the reason for this report?
Question

Best Practice to Upload SSL Certificates to DigitalOcean Spaces Custom Subdomain Using Certbot Hook

Posted on June 25, 2024
CDN
Space Object Storage
Itay Amzaleg

By Itay Amzaleg

Hi, I am currently using Certbot to manage and renew my SSL certificates for my domain. I have a setup where Certbot runs inside a Docker container, and I would like to automatically upload the renewed SSL certificates to my DigitalOcean Spaces custom subdomain.

Here are the details of my current setup:

  1. Domain: expertly.co.il
  2. Custom Subdomain for Spaces CDN: images.expertly.co.il
  3. Certbot Configuration: Certbot handles the certificates and runs a renewal hook to execute additional scripts.
  4. Goal: Automatically upload the renewed SSL certificates to DigitalOcean Spaces so that they can be used for the custom subdomain.

Currently I am using a shell script as a Certbot deploy hook to handle the upload process. This script is supposed to use s3cmd to upload the certificates to my DigitalOcean Space. However, I am facing challenges with generating the necessary .s3cfg configuration file and ensuring s3cmd is correctly configured within the Docker environment.

Here are my questions:

  1. Is there a recommended way to upload SSL certificates to a DigitalOcean Spaces custom subdomain using a hook script after Certbot renews the certificates?
  2. What is the best method to configure s3cmd or any other recommended tool for this purpose within a Docker container?
  3. Are there any specific configurations or best practices I should follow to ensure the process is secure and efficient?

Here is the current script I am using as the deploy hook:

#!/bin/sh

# Configuration
DOMAIN="images.expertly.co.il"
BUCKET=$AWS_BUCKET
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
S3_CMD_CONF="/root/.s3cfg"
S3_CMD_TEMPLATE="/aws_cert/s3cfg.template"

# Generate s3cmd config file from template
envsubst < $S3_CMD_TEMPLATE > $S3_CMD_CONF

# Upload the certificate files to DigitalOcean Spaces
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/fullchain.pem s3://$BUCKET/fullchain.pem
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/privkey.pem s3://$BUCKET/privkey.pem

And here is the template for the .s3cfg file:

[default]
access_key = ${AWS_ACCESS_KEY_ID}
secret_key = ${AWS_SECRET_ACCESS_KEY}
host_base = ${AWS_REGION}.${AWS_DOMAIN}
host_bucket = %(bucket)s.${AWS_REGION}.${AWS_DOMAIN}

I would appreciate any guidance or suggestions.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby Iliev
Bobby Iliev
July 2, 2024

Accepted Answer

Hi there,

If I got this correctly, you don’t need to upload the certificate files to your Spaces S3 storage directly, but instead update the SSL certificate of your custom domain name that you’ve associated with your spaces.

To do that, you don’t really have to use the s3cmd CLI but instead use the DigitalOcean API to create the new certificate.

You can check out the official HTTP API documentation here:

https://docs.digitalocean.com/reference/api/api-reference/#tag/Certificates

There are endpoints for adding a new certificate, retrieving existing certificates and deleting old ones.

For example, to create a new certificate using the SSL files that you generate using certbot, you could do something like this:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"name": "web-cert-01", "type": "custom", "private_key": "'"$(</path/to/privkey1.pem)"'","leaf_certificate": "'"$(</path/to/cert1.pem)"'","certificate_chain": "'"$(</path/to/fullchain1.pem)"'"}' \
  "https://api.digitalocean.com/v2/certificates"

An alternative option here is to use the doctl CLI tool instead of the HTTP API which also allows you to manage your certificates that way:

https://docs.digitalocean.com/reference/doctl/reference/compute/certificate/create/

Let me know if this works for you!

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.