Automate MDM HTTPS Certificate installation [Linux]

[Patrick van Lier 0]

We have a clean Eset Protect v10 installed on Ubuntu. The same server also contains the MDM installation. The whole installation was generally without problems. All installed, all activated.

For Eset Protect Console I have a certificate from Let's Encrypt (certbot) which is automatically renewed every 2 or 3 months and through a post-hook I copy the needed files to the tomcat9 folder and restart the service so the new certificate is used.

I used the openssl command to create a PFX file from the PEM files that Let's Encrypt generated (found it on the forums here) and used that while installing MDM. All went well and when accessing the <mdm serverhostname>:9980 the certificate is working well.

In my Protect console there is an error about the certificatechain however. I did some more reading and the conclusion is that the CA part is missing from the generated certificates. This leaves me with 3 questions:

1) I can get the needed root certificate from Chain of Trust - Let's Encrypt (letsencrypt.org). Do I need the self-signed ISRG root X1 certificate or the cross-signed ISRG root X1 certificate?

2) I assume the PEM version is the logical choice as the generated certificates are also PEM files. Can I just add another "-in <cacert.pem>" in my openssl command to add the ca certificate into the resulting pfx file? Or do I need to concatenate the pem files? 

3) How do I inject the auto-renewed certificate into MDM? I know normally it is done with an MDM policy but as these are shortlived certificates I need to automate it. I already searched through the install script to see if there was a command to inject the certificates and it seems to be linked to "multiagentcertificate" but I don't have enough linux/bash knowledge to find out if it is possible to create a script to do this. I also found compiled scripts "customaction.sh" and looked at the help but again, not sure if this can be utilized to fullfill my needs. Is there a way to automate https script injection from the shell?  

[Patrick van Lier 0]

Still no-one who got LE certificates renewal working with Protect/MDM?