A question about setting up a certificate reissue

Andrei9385 · August 24, 2020, 8:25am

Hello. I have this tutorial: https://github.com/gitpel/letsencrypt-routeros

This code: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok

Make new certificate for me.

This code: ./opt/letsencrypt-routeros/letsencrypt-routeros.sh

Makes import into Mikrotik.

Everything works perfectly.

How to set up the scheduler correctly?

I can make scheduler with this code:

certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

Like every 89 days and my certificate will be generated new,
but is this true? Or should I update it? If yes, I have the following questions.

What difference does it make if I create a new one or update an existing one?
If I update, what will the task look like in the scheduler? Like this ?

*/12 * * * cd /root/certbot/ && ./certbot-auto renew --post-hook /opt/letsencrypt-routeros/let

Do I understand correctly that the certbot-auto renew command renews the certificate when it is more than 60 days old?

For example, I issued a certificate and now every 12 hours, will it execute my command and if the certificate is older than 60 days, will it be renewed?

_az · August 24, 2020, 8:28am

Looking at how this is written, it does not support automatic renewal. The required TXT record will be different at every renewal, and will require human intervention.

You need to add a --manual-auth-hook if you want this to be automatic.

Follow the advice for "Set up automatic renewal" on https://certbot.eff.org/lets-encrypt/pip-other. It provides the right schedule and command for cron.

9peppe · August 24, 2020, 8:31am

No, because --manual means you'll have to login on your dns provider and add some txt records. Check if they have an API you can use.

Pretty much none.

yes

yes, if the command is appropriate it won't renew every 12 hours. Also, the flags get saved, you only need

* */12 * * * cd /root/certbot/ && ./certbot-auto renew -q

(you should add some random delay, at the very least roll some dice and put a fixed minute value, not every minute for an hour, twice a day :D)

Andrei9385 · August 24, 2020, 8:56am

Thank you very much guys.

What would a planner command look like?

*/12 * * * cd /root/certbot/ && ./certbot-auto renew -q --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

It is correct ?

9peppe · August 24, 2020, 9:25am

It works, but it can be better:

52 0,12 * * * cd /root/certbot/ && ./certbot-auto renew -q

The --post-hook value is saved in /etc/letsencrypt/renewal, no need to add it every time.

52 is random enough, but you can change it:

% rolldice 1d60
52 
% rolldice 1d60
46 
% rolldice 1d60
9 
% rolldice 1d60
42 
% rolldice 1d60
56

Andrei9385 · August 24, 2020, 9:29am

Thank you, but i don’t understand, how i can add /opt/letsencrypt-routeros/letsencrypt-routeros.sh to scheduler with this cron.

52 0,12 * * * cd /root/certbot/ && ./certbot-auto renew -q && /opt/letsencrypt-routeros/letsencrypt-routeros.sh

it’s correct?

9peppe · August 24, 2020, 9:30am

You don’t need to, because once you add that option once at issue time, or at a manual renewal, certbot will remember it.

If you put it in the crontab that hook will apply to every certificate, not only to that one that needs it.

Andrei9385 · August 24, 2020, 9:48am

Sorry, I cannot fully understand.

I ran this code once( Ubuntu 20.04 ): certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

If I understand correctly: This code: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook

Make new certificate.

This code: /opt/letsencrypt-routeros/letsencrypt-routeros.sh

Put in my mikrotik.

Now after renewing the certificate, I do not need to copy it to the router, since is it still the same certificate? With the same thumbprint?

For test, i can make force renewal, right ?

9peppe · August 24, 2020, 10:00am

You still need to put it in your router, but certbot remembers that you ran the script once, and it runs it again without being told. (You should use --deploy-hook for that, not --post-hook)

It's unadvisable, you should use --dry-run, or you can just make certbot install the cert with certbot install --cert-name $CERT_NAME --deploy-hook /path/to/your/script.sh

Andrei9385 · August 24, 2020, 10:28am

Still do not understand. More details?

We issued a new certificate, right?

This code: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook

Or this: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok

Then we send it to the router: --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

Or /opt/letsencrypt-routeros/letsencrypt-routeros.sh (https://pastebin.com/1mMVeErN)

I don’t understand what --post-hook is and what it refers to

I don’t understand further.

I already have a certificate after running this command:

certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook

Right ?

Then I only have to update it, right? With command in scheduler: 52 0,12 * * * cd /root/certbot/ && ./certbot-auto renew -q

Right ?

After this command, the certificate is updated and I have to copy it to the router, right?

/opt/letsencrypt-routeros/letsencrypt-routeros.sh
This script copies it, right ?

I don’t understand how I can correctly make a ready-made command for the scheduler so that I would never do anything else manually?

9peppe · August 24, 2020, 11:56am

https://certbot.eff.org/docs/using.html


  --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
                        certificates. Intended primarily for renewal, where it
                        can be used to temporarily shut down a webserver that
                        might conflict with the standalone plugin. This will
                        only be called if a certificate is actually to be
                        obtained/renewed. When renewing several certificates
                        that have identical pre-hooks, only the first will be
                        executed. (default: None)
  --post-hook POST_HOOK
                        Command to be run in a shell after attempting to
                        obtain/renew certificates. Can be used to deploy
                        renewed certificates, or to restart any servers that
                        were stopped by --pre-hook. This is only run if an
                        attempt was made to obtain/renew a certificate. If
                        multiple renewed certificates have identical post-
                        hooks, only one will be run. (default: None)
  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)

system · September 23, 2020, 11:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.