How to auto convert lets encryt to a pkcs12.pfx file whe certbot renew

[JuJuJurassic 28]

I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file.

I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it.

Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _    Once it was pointed out it all worked perfectly.

You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal

The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby

The command in ubuntu to to this is 

openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:******

Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows

This generates the pkcs12.pfx file

But Emby can't see it in Ubuntu, so you need to change the owner using
chown emby:root pkcs12.pfx

I created a script file, remember to flag it as executable, called convert-to-pfs.sh

literally just this

openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:*****
chown emby:root pkcs12.pfx

I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems

Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like

# Options used in the renewal process
[renewalparams]
account = *********
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

You need to add the line

post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh 

You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path.

That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated

To test use certbot renew --dry-run --run-deploy-hooks    This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot.

Apart from that, that's it

Have fun

juju

 

 

Edited March 15 by JuJuJurassic

[Luke 37100]

Thanks for sharing.