From adf9cabd294acf05a50022a388601255b0c45ef9 Mon Sep 17 00:00:00 2001 From: Jacobo de Vera Date: Sun, 31 Aug 2025 21:28:59 +0100 Subject: [PATCH] Document missing ssh deploy plugin options: Multiple servers, Custom ports, Using SCP, Custom SCP command --- deployhooks.md | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/deployhooks.md b/deployhooks.md index 3ea11c6..ad6327f 100644 --- a/deployhooks.md +++ b/deployhooks.md @@ -65,11 +65,10 @@ export DEPLOY_SSH_CAFILE=filename for intermediate CA file export DEPLOY_SSH_FULLCHAIN=filename for fullchain file export DEPLOY_SSH_REMOTE_CMD=command to execute on remote host export DEPLOY_SSH_BACKUP=yes or no -``` -Added in Acme release 2.8.6... -``` export DEPLOY_SSH_BACKUP_PATH=path on remote server to backup certificates export DEPLOY_SSH_MULTI_CALL=yes or no +export DEPLOY_SSH_USE_SCP=yes or no +export DEPLOY_SSH_SCP_CMD=yes or no ``` **DEPLOY_SSH_USER** Username at the remote host that SSH will login with. Note that @@ -81,18 +80,16 @@ The USER@URL at the remote server must also have has permissions to write to the target location of the certificate files and to execute any commands (e.g. to stop/start services). +**DEPLOY_SSH_SERVER** +A list of servers separated by spaces that the certificate will be deployed to. Each server can be a HOST NAME or IP Address of the remote server. If not provided then the domain name provided on the `acme.sh --deploy` command line is used. When several values are set, all the deployment options (file paths, commands, etc.) apply to all. + +Optionally, each server can include a port number separated by a colon `:`, e.g. `server.example.com 10.1.1.15 server2.example.com:10022` + **DEPLOY_SSH_CMD** You can customize the ssh command used to connect to the remote host. For example -if you need to connect to a specific port at the remote server you can set this -to, for example, "ssh -p 22" or to use `sshpass` to provide password inline -instead of exchanging ssh keys (this is not recommended, using keys is +to use `sshpass` to provide password inline instead of exchanging ssh keys (this is not recommended, using keys is more secure). Defaults to "ssh -T" -**DEPLOY_SSH_SERVER** -URL or IP Address of the remote server. If not provided then the domain -name provided on the acme.sh --deploy command line is used. -New in Acme release 2.8.7 this may be space separated list of servers to which exactly the -same deploy commands can be sent. **DEPLOY_SSH_KEYFILE** Target path and filename _on the remote server_ for the private key issued by LetsEncrypt. @@ -141,6 +138,13 @@ is not long enough to hold all the data sent in SSH. This is known to affect servers using busybox. By setting this value to "yes" the certificate deployment process is split into multiple SSH calls to work around this problem. +**DEPLOY_SSH_USE_SCP** +By default, this plugin writes the certificates on the remote host by running an SSH command that prints the contents and then pipes them to the destination file. This can result in a command that is too large for systems, even when `DEPLOY_SSH_MULTI_CALL` is used. Setting `DEPLOY_SSH_USE_SCP` to `yes` will instead use `scp` to transfr the certificate files to the destination server. + +**DEPLOY_SSH_SCP_CMD** +You can customize the `scp` command that is used to transfer certificate files when `DEPLOY_SSH_USE_SCP` is enabled. By default this is `scp -q`. + + ### Examples using SSH deploy The following example illustrates deploying certificates to a QNAP NAS (tested with QTS version 4.2.3)