[Automate MDM HTTPS Certificate installation [Linux]]

Still no-one who got LE certificates renewal working with Protect/MDM?

[Automate MDM HTTPS Certificate installation [Linux]]

We have a clean Eset Protect v10 installed on Ubuntu. The same server also contains the MDM installation. The whole installation was generally without problems. All installed, all activated.

For Eset Protect Console I have a certificate from Let's Encrypt (certbot) which is automatically renewed every 2 or 3 months and through a post-hook I copy the needed files to the tomcat9 folder and restart the service so the new certificate is used.

I used the openssl command to create a PFX file from the PEM files that Let's Encrypt generated (found it on the forums here) and used that while installing MDM. All went well and when accessing the <mdm serverhostname>:9980 the certificate is working well.

In my Protect console there is an error about the certificatechain however. I did some more reading and the conclusion is that the CA part is missing from the generated certificates. This leaves me with 3 questions:

1) I can get the needed root certificate from Chain of Trust - Let's Encrypt (letsencrypt.org). Do I need the self-signed ISRG root X1 certificate or the cross-signed ISRG root X1 certificate?

2) I assume the PEM version is the logical choice as the generated certificates are also PEM files. Can I just add another "-in <cacert.pem>" in my openssl command to add the ca certificate into the resulting pfx file? Or do I need to concatenate the pem files? 

3) How do I inject the auto-renewed certificate into MDM? I know normally it is done with an MDM policy but as these are shortlived certificates I need to automate it. I already searched through the install script to see if there was a command to inject the certificates and it seems to be linked to "multiagentcertificate" but I don't have enough linux/bash knowledge to find out if it is possible to create a script to do this. I also found compiled scripts "customaction.sh" and looked at the help but again, not sure if this can be utilized to fullfill my needs. Is there a way to automate https script injection from the shell?  

[ESA: delete old endpoints]

We have a customer who migrated to a new server. Both old and new server had ESA 2.7 installed so during migration we would always have an active endpoint. When migration was almost done the old server crashed so we didn't get a chance te remove ESA from it. How can we delete this old endpoint? In the summary screen is displays the old server with the error 'Offline'.