Acmephp/core renew cert

Hello. Https://github.com/acmephp/core according to the scheme https://acmephp.github.io/documentation/core/get-started.html, I use the address https://acme-v02.api.letsencrypt.org. I have no problems getting certificates for my domains, but the question arose about updating/renew them. I do not know how the process of creating a certificate differs from its updates. Do I need to log in to update my account or can I register an account each time (and I don’t need to block my account when registering multiple accounts to the same email address).

There are no methods like newAuthz in this package https://github.com/acmephp/core. There is only

newAccount
newOrder
newNonce
revokeCert

Site information from: https://acmephp.github.io/documentation/

GETTING STARTED

  1. INSTALLATION
    Create a secure HTTP client
    Generate a key pair if needed
    Set up the ACME client
    Create new account
    Request authorization
    Generate CSR and private key
    Request certificate

  2. OBTAIN A CERTIFICATE
    Create a configuration file
    Get your certificate

  3. CONFIGURE YOUR WEBSERVER
    Mozilla SSL Configuration Generator
    Apache 2.2.32
    Apache 2.4.18
    nginx 1.9.5
    lighttpd 1.4.37
    haproxy 1.5.14

  4. SETUP AUTOMATIC RENEWAL
    Create the CRON
    Configure monitoring

GUIDES
Multi-domain certificates
Prove you own a domain using DNS

ACME PROTOCOL IMPLEMENTATION
Introduction
Get started

From the page choices shown on the site (documentation may be incomplete or the coding you seek may be not yet be available), I think you might find an answer at or clue to code what you need:
https://acmephp.github.io/documentation/getting-started/4-automatic-renewal.html
If all fails, try asking the maintainer your specific question or requirement.
Although I’m not sure it has any active maintainer… their Twitter has been quiet since last November.
Last changelog entry is from January.

1 Like

This is a question

This documentation shows how to install the ready-made acme.phar package via cron. I do not use it, I use the methods from the https://github.com/acmephp/core package. And I can create a certificate. My question is only in updating it. What is the scheme for renewing a certificate?

I pointed out the https://github.com/acmephp/core package in order to show what I use when receiving the certificate. I do not ask you to give me an update code, I am interested in what principle the certificate is being redeemed, what steps need to be done for this. If possible, show what steps are taken when receiving a certificate (both after creating an account and when it is available) and when updating it.

I don’t code…
But ACME is an open standard.
Perhaps start with the RFC: https://tools.ietf.org/html/rfc8555
or you might do well by cutting your losses and move to a well maintained/documented client (like: https://github.com/Neilpang/acme.sh)

The specific client you mention wasn’t written by LE nor (probably) managed by anyone on this “community” forum.

1 Like

I read this standard, because I haven’t found the answer to my question anywhere, no one can directly answer how to correctly renew the certificate, everyone updates it differently and the vast majority use ready-made packages like certbot. This standard describes the methods that should return something to requests. I met only in one place a mention that updating a certificate is a matter of a minute, but it does not say further how to update it.

It indicates what commands you need to enter to get the result. I’m interested in what steps need to be taken. When you drive home by your car, you take specific steps: go to the car, open the door, climb inside, close the door and so on. But you can also ask someone else to bring you home, and then some of the steps do not need to be taken. If we draw an analogy with our situation, then the first case when you implement something yourself, let’s write an algorithm to obtain a certificate, and the second option when you entrust this to a ready-made package. I am interested in the first option and I can’t find an answer to it.

I do understand; but as I said earlier “I don’t code…”
I’m simply trying to point you in the best direction (at this hour) - but that all seems less than sufficient.

So, we’ll just have to wait until more people in the US wake up and read this topic/thread.
I’m sure there is a good answer to your question… I just don’t know it, nor where to find it (right now) :frowning:
But I do know at least two people that can give precise answers: @jsha @schoen
[just wait a couple of hours]

1 Like

Ok, thanks for the answers and help.

1 Like

May be even a fellow programmer and community member may shed some light or provide some “tips”
@rmbolger

How can I invite him to the current conversation?

This is not a closed (PM) conversation.
He was tagged and will be notified with link to post.
Let me tag you here so you can see that you get a counter increase in upper right side @boxfamin
And can come to this post from it.

1 Like

Ok, thank you I will wait

Hi @boxfamin

please read the RFC 8555

https://tools.ietf.org/html/rfc8555

@rg305 has already shared.

There is the complete answer of your question.

PS: Your understanding of "account" is wrong.

I already read this. Here are some references:

Page 8: "

  1. Apply for a certificate
  2. Confirm control of any identifiers requested in the certificate.
  3. Complete the order by submitting a CSR
  4. Wait for issuance and download the issued certificate
    "

Page 22: “The following table illustrates a typical query sequence
it is required to create a new account on the server, to prove control over
identifier, issue a certificate and receive an updated certificate
some time after issue. “->” is a mnemonic for a location
header field indicating the resource created. "

It does not say how to update.
In the acmephp package that I mentioned above, all requests are made through new-account.
I got the impression that in order to renew the certificate, you need to re-register the email and re-request the certificate.
Tell me, where am I mistaken?

there is no concept of renew a certificate, it’s just getting a new cert for same name(s).

2 Likes

I know this in one of the posts on this site there was already such an answer.
I looked through a lot of messages before registering on this site.
But again, no one will directly answer how to correctly renew the certificate? The fact that a completely different file is created is all clear.

I will ask the question directly.
If I register the same email address every time and then order certificates for different domains (this way I will create / renew / renew the certificate), is this algorithm premium and I will not have problems with the account in the future?
I would not want to be blocked after multiple registration of the same email.

That answers your question. And as written: Your idea of an account is completely wrong. There is no session, no login.

Read the RFC how a new account is created and used.

Typically, you only register new account once on a given system (not one per order/certificate). The email address(es) associated with that order can be changed at anytime, but your PHP library would have to support that operation.

The account can be used to create many different “orders” (certificates) within the published rate limits. The ACME protocol doesn’t really have a concept of a certificate “renewal” or “update”. When a previous certificate gets close to expiring (typically within ~30 days of the expiration), clients just create a new order for a new certificate with the same parameters as the previous one. The client answers the authorizations challenges and deploys the certificate the same way it did for the first one. Rinse and repeat forever (hypothetically).

4 Likes

And before ordering what do they do? What actions?