I have a nodeJS service which uses Certbot to generate (wildcard) certificate on the request.
Service might get multiple requests to generate certificates for different domains.
But certbot only allows one instance to run at a time, as it puts a .lock file on all 3 directories namely, Work, Config and Log.
I tried somethings and following are the approaches taken by me. I’d like the experts to guide me which is better or if there is some other alternative I should try.
Approach 1:
I create a new directory with the domain name.
For e.g. I want to get certificate for *.testing.tld.com. I create teting.tld.com
Then I pass –config-dir /path/to/testing.tld.com/config, –work-dir /path/to/testing.tld.com, –logs-dir /path/to/testing.tld.com/log.
It works, but then it creates a new Let’s Encrypt account for every request. I see different directory name in /config/accounts/acme-v02.api.letsencrypt.org/directory/{new_directory}
.
Also, the reger.json has a different value for account id (acc_id) in
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/{acc_id}"
Q. Is it okay to create a new account for every request?
Approach 2:
Feeling like doing something wrong for creating a new account everytime,
now I create a new directory with the domain name.
For e.g. I want to get certificate for *.testing.tld.com. I create teting.tld.com
Then copy the config folder inside, which has accounts/acme-v02.api.letsencrypt.org/directory/{hexID} and all the contents within i.e. meta.json and private_key.json regr.json
In this case, I believe I am using the same account always.
Q. Is this better?
Q. Is there a way to get which all certificates have been generated from this account?
I don’t think there is a direct relationship stored/maintained for the certificates generated form an account.
When I generated a certificate by this approach 2 and then tried again with same domain, but different --config-dir, --work-dir, --logs-dir, it created a new certificate without any warning about certificate already exists or not yet due for renewal.