Best Practice to Upload SSL Certificates to DigitalOcean Spaces Custom Subdomain Using Certbot Hook

Question

Hi,I am currently using Certbot to manage and renew my SSL certificates for my domain. I have a setup where Certbot runs inside a Docker container, and I would like to automatically upload the renewed SSL certificates to my DigitalOcean Spaces custom subdomain. Here are the details of my current setup: Domain: expertly.co.il Custom Subdomain for Spaces CDN: images.expertly.co.il Certbot Configuration: Certbot handles the certificates and runs a renewal hook to execute additional scripts. Goal: Automatically upload the renewed SSL certificates to DigitalOcean Spaces so that they can be used for the custom subdomain. Currently I am using a shell script as a Certbot deploy hook to handle the upload process. This script is supposed to use s3cmd to upload the certificates to my DigitalOcean Space. However, I am facing challenges with generating the necessary .s3cfg configuration file and ensuring s3cmd is correctly configured within the Docker environment. Here are my questions: Is there a recommended way to upload SSL certificates to a DigitalOcean Spaces custom subdomain using a hook script after Certbot renews the certificates? What is the best method to configure s3cmd or any other recommended tool for this purpose within a Docker container? Are there any specific configurations or best practices I should follow to ensure the process is secure and efficient? Here is the current script I am using as the deploy hook: #!/bin/sh # Configuration DOMAIN="images.expertly.co.il" BUCKET=$AWS_BUCKET CERT_DIR="/etc/letsencrypt/live/$DOMAIN" S3_CMD_CONF="/root/.s3cfg" S3_CMD_TEMPLATE="/aws_cert/s3cfg.template" # Generate s3cmd config file from template envsubst < $S3_CMD_TEMPLATE > $S3_CMD_CONF # Upload the certificate files to DigitalOcean Spaces s3cmd --config=$S3_CMD_CONF put $CERT_DIR/fullchain.pem s3://$BUCKET/fullchain.pem s3cmd --config=$S3_CMD_CONF put $CERT_DIR/privkey.pem s3://$BUCKET/privkey.pem And here is the template for the .s3cfg file: [default] access_key = ${AWS_ACCESS_KEY_ID} secret_key = ${AWS_SECRET_ACCESS_KEY} host_base = ${AWS_REGION}.${AWS_DOMAIN} host_bucket = %(bucket)s.${AWS_REGION}.${AWS_DOMAIN} I would appreciate any guidance or suggestions.

Bobby · Accepted Answer

Hi there,

If I got this correctly, you don’t need to upload the certificate files to your Spaces S3 storage directly, but instead update the SSL certificate of your custom domain name that you’ve associated with your spaces.

To do that, you don’t really have to use the s3cmd CLI but instead use the DigitalOcean API to create the new certificate.

You can check out the official HTTP API documentation here:

https://docs.digitalocean.com/reference/api/api-reference/#tag/Certificates

There are endpoints for adding a new certificate, retrieving existing certificates and deleting old ones.

For example, to create a new certificate using the SSL files that you generate using certbot, you could do something like this:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"name": "web-cert-01", "type": "custom", "private_key": "'"$(</path/to/privkey1.pem)"'","leaf_certificate": "'"$(</path/to/cert1.pem)"'","certificate_chain": "'"$(</path/to/fullchain1.pem)"'"}' \
  "https://api.digitalocean.com/v2/certificates"

An alternative option here is to use the doctl CLI tool instead of the HTTP API which also allows you to manage your certificates that way:

https://docs.digitalocean.com/reference/doctl/reference/compute/certificate/create/

Let me know if this works for you!

- Bobby

Report this

Best Practice to Upload SSL Certificates to DigitalOcean Spaces Custom Subdomain Using Certbot Hook

Become a contributor for community

DigitalOcean Documentation

Resources for startups and SMBs

Get our newsletter

The developer cloud

Get started for free