Full script for getting LEGO SSL certificate for rpxy

[id4vip]

Thanks for making rust-rpxy. I am using rust-rpxy & it is working blazing fast with my self signed certificate. Now I want to use actual ssl certificate through letenscrypt with the help of LEGO. As rpxy use rust format key(PK8) & letenscrypt give key in PK1. It should be very good if some expert person make a bash file which combined the LEGO commands for ssl certificate & convert key file into rust key format. Basically i want to merge creation of key & converting into rust format in one script.

https://go-acme.github.io/lego/usage/cli/obtain-a-certificate/

if some expert make this type of bash script file then we can run that file periodically by Linux Cron job.
thanks

[id4vip]

CLOUDFLARE_DNS_API_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz \
lego --email [email protected] --dns cloudflare --domains my.example.org run

% openssl pkcs8 -topk8 -nocrypt \
    -in yoru_domain_from_le.key \
    -inform PEM \
    -out your_domain_pkcs8.key.pem \
    -outform PEM% openssl pkcs8 -topk8 -nocrypt \
    -in yoru_domain_from_le.key \
    -inform PEM \
    -out your_domain_pkcs8.key.pem \
    -outform PEM

I am not stick with LEGO, i just need any working way to use SSL certificate & rust-rpxy in any script may be use any mechanism as mentioned in another post,
https://github.com/instant-labs/instant-acme?tab=readme-ov-file

[id4vip]

I have copy paste few bash script from online media, please somebody fine tune it for rust-rpxy. still it is broken.
https://ppfeufer.de/lego-automatic-ssl-certificates-and-https-for-everyone-and-everywhere/

#!/usr/bin/env bash
 
# Load the Hetzner API key
export HETZNER_API_KEY_FILE=/home/your_username/.lego/hetzer-api-key
 
[email protected]
LEGO_PATH="/home/your_username/.lego"
LEGO_CERTIFICATES_PATH="${LEGO_PATH}/certificates"
LEGO_RENEW_DAYS=10
LEGO_DNS_PROVIDER=hetzner
 
CERTIFICATE_RENEWED=False
 
 
for LEGO_CERTIFICATE_NAME in `/usr/bin/lego --path ${LEGO_PATH} list --names`
    do
        original=$(date -r "${LEGO_CERTIFICATES_PATH}/${LEGO_CERTIFICATE_NAME}.crt")
 
        /usr/bin/lego \
            --path ${LEGO_PATH} \
            --email ${LEGO_ACCOUNT_EMAIL} \
            --accept-tos \
            --dns ${LEGO_DNS_PROVIDER} \
            --domains ${LEGO_CERTIFICATE_NAME} \
            renew --days ${LEGO_RENEW_DAYS}
 
        actual=$(date -r "${LEGO_CERTIFICATES_PATH}/${LEGO_CERTIFICATE_NAME}.crt")
 
        if [ "${original}" != "${actual}" ]
            then
                CERTIFICATE_RENEWED=True
        fi
    done
 
 
if [ ${CERTIFICATE_RENEWED} == True ]
    then
        systemctl stop rpxy.service
        openssl pkcs8 -topk8 -nocrypt \
          -in yoru_domain_from_le.key \
          -inform PEM \
          -out your_domain_pkcs8.key.pem \
          -outform PEM
        systemctl start rpxy.service
fi
exit $?

[id4vip]

I made one bash file, it should be working, PK1 key creation default way & this bash file generate pk8 file if any change in pk1 & pk8 last modification date. Both pk1 creation & this script runs weekly with linux cron in serial order

#!/bin/bash
if [ "/mnt/userdata/rpxy/certificates/_.XXX.ZZZ.key" -nt "/mnt/userdata/rpxy/certificates/_.XXX.ZZZ.key.pem" ]
then
  echo "Different certificate, updating..."
  cd /mnt/userdata/rpxy/certificates
  openssl pkcs8 -topk8 -nocrypt \
      -in _.XXX.ZZZ.key \
      -inform PEM \
      -out _.XXX.ZZZ.key.pem \
      -outform PEM
   sudo systemctl restart rpxy.service
else
  echo "Same certificate, No change needed"
fi