Question

Best Practice to Upload SSL Certificates to DigitalOcean Spaces Custom Subdomain Using Certbot Hook

Hi, I am currently using Certbot to manage and renew my SSL certificates for my domain. I have a setup where Certbot runs inside a Docker container, and I would like to automatically upload the renewed SSL certificates to my DigitalOcean Spaces custom subdomain.

Here are the details of my current setup:

  1. Domain: expertly.co.il
  2. Custom Subdomain for Spaces CDN: images.expertly.co.il
  3. Certbot Configuration: Certbot handles the certificates and runs a renewal hook to execute additional scripts.
  4. Goal: Automatically upload the renewed SSL certificates to DigitalOcean Spaces so that they can be used for the custom subdomain.

Currently I am using a shell script as a Certbot deploy hook to handle the upload process. This script is supposed to use s3cmd to upload the certificates to my DigitalOcean Space. However, I am facing challenges with generating the necessary .s3cfg configuration file and ensuring s3cmd is correctly configured within the Docker environment.

Here are my questions:

  1. Is there a recommended way to upload SSL certificates to a DigitalOcean Spaces custom subdomain using a hook script after Certbot renews the certificates?
  2. What is the best method to configure s3cmd or any other recommended tool for this purpose within a Docker container?
  3. Are there any specific configurations or best practices I should follow to ensure the process is secure and efficient?

Here is the current script I am using as the deploy hook:

#!/bin/sh

# Configuration
DOMAIN="images.expertly.co.il"
BUCKET=$AWS_BUCKET
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
S3_CMD_CONF="/root/.s3cfg"
S3_CMD_TEMPLATE="/aws_cert/s3cfg.template"

# Generate s3cmd config file from template
envsubst < $S3_CMD_TEMPLATE > $S3_CMD_CONF

# Upload the certificate files to DigitalOcean Spaces
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/fullchain.pem s3://$BUCKET/fullchain.pem
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/privkey.pem s3://$BUCKET/privkey.pem

And here is the template for the .s3cfg file:

[default]
access_key = ${AWS_ACCESS_KEY_ID}
secret_key = ${AWS_SECRET_ACCESS_KEY}
host_base = ${AWS_REGION}.${AWS_DOMAIN}
host_bucket = %(bucket)s.${AWS_REGION}.${AWS_DOMAIN}

I would appreciate any guidance or suggestions.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
July 2, 2024
Accepted Answer

Hi there,

If I got this correctly, you don’t need to upload the certificate files to your Spaces S3 storage directly, but instead update the SSL certificate of your custom domain name that you’ve associated with your spaces.

To do that, you don’t really have to use the s3cmd CLI but instead use the DigitalOcean API to create the new certificate.

You can check out the official HTTP API documentation here:

https://docs.digitalocean.com/reference/api/api-reference/#tag/Certificates

There are endpoints for adding a new certificate, retrieving existing certificates and deleting old ones.

For example, to create a new certificate using the SSL files that you generate using certbot, you could do something like this:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"name": "web-cert-01", "type": "custom", "private_key": "'"$(</path/to/privkey1.pem)"'","leaf_certificate": "'"$(</path/to/cert1.pem)"'","certificate_chain": "'"$(</path/to/fullchain1.pem)"'"}' \
  "https://api.digitalocean.com/v2/certificates"

An alternative option here is to use the doctl CLI tool instead of the HTTP API which also allows you to manage your certificates that way:

https://docs.digitalocean.com/reference/doctl/reference/compute/certificate/create/

Let me know if this works for you!

- Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more