Yep. That was the question. I've been hacking on dehydrated hook-scripts, and am pretty close to where I want to be.
I'm using DNS-01 challenge (so needed to write the handlers for that)
I find NSS databases to be a PITA, so in the deploy_cert handler, I'm
+ building a new NSS
+ importing the Let's Encrypt intermediates
+ importing the new cert and key under the expected name
Then I'll just replace the old NSS with the new
-- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston@alaska.gov Department of Administration State of Alaska
I think he was asking if a script exists that will work with ACME and NSS databases. It is quite a broad question because it does depend on the client used. I think I would use certbot and leave the private key and certificates in the flat filesystem and use a post-hook to stop 389, load the updated cert using certutil, restart 389. I'm lazy so after the first request I'd manually create a PKCS#12 out of it and load that into the 389 NSS db. All subsequent calls with the post-hook should work fine as long as the private key is retained. But I haven't tried it.