Account Management in Certbot

I have a nodeJS service which uses Certbot to generate (wildcard) certificate on the request.
Service might get multiple requests to generate certificates for different domains.
But certbot only allows one instance to run at a time, as it puts a .lock file on all 3 directories namely, Work, Config and Log.

I tried somethings and following are the approaches taken by me. I’d like the experts to guide me which is better or if there is some other alternative I should try.

Approach 1:

I create a new directory with the domain name.
For e.g. I want to get certificate for *.testing.tld.com. I create teting.tld.com
Then I pass –config-dir /path/to/testing.tld.com/config, –work-dir /path/to/testing.tld.com, –logs-dir /path/to/testing.tld.com/log.
It works, but then it creates a new Let’s Encrypt account for every request. I see different directory name in /config/accounts/acme-v02.api.letsencrypt.org/directory/{new_directory}.
Also, the reger.json has a different value for account id (acc_id) in
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/{acc_id}"

Q. Is it okay to create a new account for every request?

Approach 2:

Feeling like doing something wrong for creating a new account everytime,
now I create a new directory with the domain name.
For e.g. I want to get certificate for *.testing.tld.com. I create teting.tld.com
Then copy the config folder inside, which has accounts/acme-v02.api.letsencrypt.org/directory/{hexID} and all the contents within i.e. meta.json and private_key.json regr.json
In this case, I believe I am using the same account always.

Q. Is this better?
Q. Is there a way to get which all certificates have been generated from this account?

I don’t think there is a direct relationship stored/maintained for the certificates generated form an account.
When I generated a certificate by this approach 2 and then tried again with same domain, but different --config-dir, --work-dir, --logs-dir, it created a new certificate without any warning about certificate already exists or not yet due for renewal.

I would imagine that using a Node.js ACME library rather than calling Certbot is the most correct solution.

With your approach #2, why don't you save your generated directory permanently? So,

  1. Request comes in for *.testing.example.com
  2. mkdir /var/lib/acme/testing.example.com
  3. cp -r /etc/letsencrypt/accounts /var/lib/acme/testing.example.com/
  4. certbot certonly --config-dir /var/lib/acme/testing.example.com ...
  5. Keep directory in-tact after the certificate is issued
  6. At any time, you can run certbot renew --config-dir /var/lib/acme/testing.example.com ... and it will use the same ACME account and know whether it needs to renew the certificate or not.

Essentially, to introduce the concept of persistence in your local environment, rather than relying on Let's Encrypt to tell you whether a certificate needs to be renewed or not.

Integration Guide - Let's Encrypt - it's okay to make a new account for every customer, but not for every certificate and renewal.

No, there isn't (yet).

2 Likes

If the OP just wants the domains encrypted, there are a handful of web servers and proxies that can do this.

Off the top of my head:

I've seen at least a dozen projects that integrate this at the server level though.

If the OP wants to keep/track the autogenerated certs, there are some other projects too - or one can use a library to write a custom service.

I wrote a custom service / certificate manager for our needs; certificate management is handled by Python and auto-loaded into Redis and OpenResty/Nginx as needed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.