By Itay Amzaleg
Hi, I am currently using Certbot to manage and renew my SSL certificates for my domain. I have a setup where Certbot runs inside a Docker container, and I would like to automatically upload the renewed SSL certificates to my DigitalOcean Spaces custom subdomain.
Here are the details of my current setup:
Currently I am using a shell script as a Certbot deploy hook to handle the upload process. This script is supposed to use s3cmd
to upload the certificates to my DigitalOcean Space. However, I am facing challenges with generating the necessary .s3cfg
configuration file and ensuring s3cmd
is correctly configured within the Docker environment.
Here are my questions:
s3cmd
or any other recommended tool for this purpose within a Docker container?Here is the current script I am using as the deploy hook:
#!/bin/sh
# Configuration
DOMAIN="images.expertly.co.il"
BUCKET=$AWS_BUCKET
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
S3_CMD_CONF="/root/.s3cfg"
S3_CMD_TEMPLATE="/aws_cert/s3cfg.template"
# Generate s3cmd config file from template
envsubst < $S3_CMD_TEMPLATE > $S3_CMD_CONF
# Upload the certificate files to DigitalOcean Spaces
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/fullchain.pem s3://$BUCKET/fullchain.pem
s3cmd --config=$S3_CMD_CONF put $CERT_DIR/privkey.pem s3://$BUCKET/privkey.pem
And here is the template for the .s3cfg
file:
[default]
access_key = ${AWS_ACCESS_KEY_ID}
secret_key = ${AWS_SECRET_ACCESS_KEY}
host_base = ${AWS_REGION}.${AWS_DOMAIN}
host_bucket = %(bucket)s.${AWS_REGION}.${AWS_DOMAIN}
I would appreciate any guidance or suggestions.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Hi there,
If I got this correctly, you don’t need to upload the certificate files to your Spaces S3 storage directly, but instead update the SSL certificate of your custom domain name that you’ve associated with your spaces.
To do that, you don’t really have to use the s3cmd
CLI but instead use the DigitalOcean API to create the new certificate.
You can check out the official HTTP API documentation here:
https://docs.digitalocean.com/reference/api/api-reference/#tag/Certificates
There are endpoints for adding a new certificate, retrieving existing certificates and deleting old ones.
For example, to create a new certificate using the SSL files that you generate using certbot
, you could do something like this:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-d '{"name": "web-cert-01", "type": "custom", "private_key": "'"$(</path/to/privkey1.pem)"'","leaf_certificate": "'"$(</path/to/cert1.pem)"'","certificate_chain": "'"$(</path/to/fullchain1.pem)"'"}' \
"https://api.digitalocean.com/v2/certificates"
An alternative option here is to use the doctl
CLI tool instead of the HTTP API which also allows you to manage your certificates that way:
https://docs.digitalocean.com/reference/doctl/reference/compute/certificate/create/
Let me know if this works for you!
- Bobby
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.