Allow requesting certificate without specifying authentication/validation plugin

faab-prolo · August 28, 2024, 4:22pm

Hi,

For a customer we have recently adopted certbot to automatically request (via scripting) and renew certificates through the ACME of their certificate provider. They use Organisation Validation where domains are manually validated in the Certificate Manager once a year through DNS/CNAME. Consequently, no validation needs to be performed when a certificate is requested for a validated domain.

Knowing no validation is required, during testing, I tried to request a certificate (certonly, no installer plugin) without specifying an authentication plugin in the command line. It then prompted me to select one anyway. When I tried to do the same with the -n flag, the command failed alltogether saying I hadn't specified an authentication plugin and that it required one. When I specified an authenticator anyway (in this case --webroot), everything worked fine and it didn't perform any validation whatsoever.

My feature request therefore is a very very minor one. While you can definitely obtain a certificate without having to perform any validation, it would be a very tiny "nice-to-have" to not have to specify an authentication plugin at all, to make automated processes a little more easier to read, and to reduce bloat in both the commands executed, and the resulting renewal configurations.

Osiris · August 28, 2024, 4:34pm

The Feature Requests is for feature requests with regard to Let's Encrypt.

While the ACME client Certbot was once developed by Let's Encrypt, it has been transfered to the EFF years ago.

I have doubts your nice application (relative to the usual Certbot user that is) will be relevant enough to Certbot (especially since you can simply use the webroot plugin with the webroot pointed at any random location as a perfectly fine workaround), best bet is to open a feature request on the Certbot Github repository at Issues · certbot/certbot · GitHub.

webprofusion · August 29, 2024, 1:23am

You can just tell it to use HTTP validation(e.g. webroot), the CA will then return an order that either doesn't need validated or where all the authorizations have already been completed and the validation will be skipped.

faab-prolo · August 29, 2024, 10:50am

Hi Osiris,

Thanks for clarifying! I thought I was in the right place here. My bad! I'll direct it elsewhere

system · September 28, 2024, 10:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get certbot to just download? Help	5	1233	March 3, 2021
Certbot renewal for certonly --manual certs Help	4	5627	September 28, 2016
Certificate mismatch after renewal using webroot Help	3	1161	July 3, 2018
Create manually just a cert without need of .well-known/acme-challenge/ Help	3	4008	December 13, 2019
Wildcard certicate poorly supported Feature Requests	28	1285	February 26, 2023

Allow requesting certificate without specifying authentication/validation plugin

Related topics