Hello. Https://github.com/acmephp/core according to the scheme https://acmephp.github.io/documentation/core/get-started.html, I use the address https://acme-v02.api.letsencrypt.org. I have no problems getting certificates for my domains, but the question arose about updating/renew them. I do not know how the process of creating a certificate differs from its updates. Do I need to log in to update my account or can I register an account each time (and I don’t need to block my account when registering multiple accounts to the same email address).
Site information from: https://acmephp.github.io/documentation/
GETTING STARTED
INSTALLATION
Create a secure HTTP client
Generate a key pair if needed
Set up the ACME client
Create new account
Request authorization
Generate CSR and private key
Request certificate
OBTAIN A CERTIFICATE
Create a configuration file
Get your certificate
CONFIGURE YOUR WEBSERVER
Mozilla SSL Configuration Generator
Apache 2.2.32
Apache 2.4.18
nginx 1.9.5
lighttpd 1.4.37
haproxy 1.5.14
SETUP AUTOMATIC RENEWAL
Create the CRON
Configure monitoring
GUIDES
Multi-domain certificates
Prove you own a domain using DNS
ACME PROTOCOL IMPLEMENTATION
Introduction
Get started
From the page choices shown on the site (documentation may be incomplete or the coding you seek may be not yet be available), I think you might find an answer at or clue to code what you need: https://acmephp.github.io/documentation/getting-started/4-automatic-renewal.html
If all fails, try asking the maintainer your specific question or requirement.
Although I’m not sure it has any active maintainer… their Twitter has been quiet since last November.
Last changelog entry is from January.
I pointed out the https://github.com/acmephp/core package in order to show what I use when receiving the certificate. I do not ask you to give me an update code, I am interested in what principle the certificate is being redeemed, what steps need to be done for this. If possible, show what steps are taken when receiving a certificate (both after creating an account and when it is available) and when updating it.
I read this standard, because I haven’t found the answer to my question anywhere, no one can directly answer how to correctly renew the certificate, everyone updates it differently and the vast majority use ready-made packages like certbot. This standard describes the methods that should return something to requests. I met only in one place a mention that updating a certificate is a matter of a minute, but it does not say further how to update it.
It indicates what commands you need to enter to get the result. I'm interested in what steps need to be taken. When you drive home by your car, you take specific steps: go to the car, open the door, climb inside, close the door and so on. But you can also ask someone else to bring you home, and then some of the steps do not need to be taken. If we draw an analogy with our situation, then the first case when you implement something yourself, let's write an algorithm to obtain a certificate, and the second option when you entrust this to a ready-made package. I am interested in the first option and I can’t find an answer to it.
I do understand; but as I said earlier “I don’t code…”
I’m simply trying to point you in the best direction (at this hour) - but that all seems less than sufficient.
So, we’ll just have to wait until more people in the US wake up and read this topic/thread.
I’m sure there is a good answer to your question… I just don’t know it, nor where to find it (right now)
But I do know at least two people that can give precise answers: @jsha@schoen
[just wait a couple of hours]
This is not a closed (PM) conversation.
He was tagged and will be notified with link to post.
Let me tag you here so you can see that you get a counter increase in upper right side @boxfamin
And can come to this post from it.
Confirm control of any identifiers requested in the certificate.
Complete the order by submitting a CSR
Wait for issuance and download the issued certificate
"
Page 22: “The following table illustrates a typical query sequence
it is required to create a new account on the server, to prove control over
identifier, issue a certificate and receive an updated certificate
some time after issue. "->" is a mnemonic for a location
header field indicating the resource created. "
It does not say how to update.
In the acmephp package that I mentioned above, all requests are made through new-account.
I got the impression that in order to renew the certificate, you need to re-register the email and re-request the certificate.
Tell me, where am I mistaken?
I know this in one of the posts on this site there was already such an answer.
I looked through a lot of messages before registering on this site.
But again, no one will directly answer how to correctly renew the certificate? The fact that a completely different file is created is all clear.
I will ask the question directly.
If I register the same email address every time and then order certificates for different domains (this way I will create / renew / renew the certificate), is this algorithm premium and I will not have problems with the account in the future?
I would not want to be blocked after multiple registration of the same email.
Typically, you only register new account once on a given system (not one per order/certificate). The email address(es) associated with that order can be changed at anytime, but your PHP library would have to support that operation.
The account can be used to create many different “orders” (certificates) within the published rate limits. The ACME protocol doesn’t really have a concept of a certificate “renewal” or “update”. When a previous certificate gets close to expiring (typically within ~30 days of the expiration), clients just create a new order for a new certificate with the same parameters as the previous one. The client answers the authorizations challenges and deploys the certificate the same way it did for the first one. Rinse and repeat forever (hypothetically).