Skip to content

Certificates

Renew certificates network-wide

You can manually renew LetsEncrypt certificates for your domains by doing:

$ sc_pack certs <action> -f configuration/file/path/sc_pack.conf.yaml <--push>

you can use these options for <action>:

  • run_staging: will generate the certificates using the ACME staging CA, this is useful for testing. We encourage you to run it this way first, and once confirmed that the certificates are properly generated for staging, then run it for "prod" (see below).

  • run_prod: will generate the certificates using the ACME production CA. These are the certificates that browsers will recognize as valid.

  • print_crontab_line: will print a crontab line to set up an automatic run of the renew_certs periodically. The example print runs once a month, the first day of the month at 3:30am.

  • push_local_certificates: will just push the local certificates that the sc_pack instance has to the centralized accelerator platform, and the platform will synchronize the certificates with all the deployment sites.

  • pull_certificates <domain name>: will pull the certificates from the centralized accelerator platform for that specific domain, and deployment site.

and for <--push>:

  • --push means that the generated certificates will be pushed and synchronized to all the sc_pack instances that have this domain deployed somewhere. It will be available just when you use run_prod action, though.

If you have issues with either run_prod or run_staging, please double-check that the ports enabled for the celery are reachable from outside.

Import certificates handled with certbot

An alternative is to use certbot to obtain/renew your domain certificates and use the command sc_pack import_certbot_certificates.

The subcommand --certbot_certs_root_directory <path to the root dir certbot store the certificates> is allowed, although we default it to: /etc/letsencrypt/live which is normally what the standard uses.

This command:

  • imports the certificates handled by certbot from the root dir where it stores the certificates, normally /etc/letsencrypt/live,
  • converts the certificates to the format that ShimmerCat uses,
  • copies them to the shimmercat-scratch-folder/sni-certs/ directory for each domain in the devlove.yaml file.
  • reloads the ShimmerCat server so that it can read the new certificates.

Video tutorial

For a video on how to create and spread LetsEncrypt certificates in a group of live edge servers, see the link below: