Automating LE certificate renewal for use with DANE


#1

Hi all,

I am trying to use LE to generate certificates for my Postfix SMTP server. First I did it the normal way, fully automated via Certbot, and everything went fine. Now, however, I’d like to add DANE to the mix, using a fixed private key and only renewing the certificate, and this is where problems begin.

I’ve read the tutorial on ISOC’s website, and also several other threads. I could successfully generate the CSR:

openssl req -new -nodes -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf “[SAN]\nsubjectAltName=DNS:mail.example.com”)) -subj ‘/CN=mail.example.com’ -out csr.der -keyout privkey.pem -newkey rsa:2048 -outform DER

and get the certificate:

/opt/certbot/certbot-auto certonly --apache --csr ./csr.der -m postmaster@example.com

This leaves me with three files: 0000_cert.pem, 0000_chain.pem and 0001_chain.pem, of which the last one is the fullchain except the root, and works fine once added into my Postfix; I know I’d need to add the root cert manually to the chain if I wanted to use a TLSA 2 1 1 record, but I’d be happy with just the TLSA 3 1 1 instead.

Also, these files are stored outside of the /etc/letsencrypt path - they are created in the current dir - and, when I run certbot-auto renew to try the renewal of all my certificates, they get ignored (it’d be nice if they could be automatically checked as well).

So I’m trying other ways to automate the renewal of this certificate, which, according to the tutorial, should happen with this command:

“letsencrypt-auto certonly -t --debug --renew -a standalone --csr ./mx.go6lab.si.der --keep”

Clearly the syntax is old, and “–renew” does not exist any more. If I try “certbot-auto renew”, it says that --csr can only be used with certonly. If I do certonly, then what I get are three new files, 0001_cert.pem, 0002_chain.pem and 0003_chain.pem. And if I try a further renewal, then I get 0002_cert.pem, 0004_chain.pem and 0005_chain.pem (very messy naming as the same number belongs to different generations of certificates).

However, my Postfix main.cf can only point to a specific file, so for automating the process I’d need Certbot to overwrite the old files rather than create new ones. Is this possible, without resorting to wrap-up scripts etc? I couldn’t find a way.

Also, Certbot seems to generate new certificates at every run of the command, disregarding the fact that the old cert is not about to expire yet. How can I make sure that it checks the expiry date, behaving as it does in the automatic renewal of HTTPS certificates?

Finally, as my server also hosts several websites and I have a somewhat messy structure of Apache vhost files, Certbot can’t find the correct file for the challenge on its own and resorts to interactively asking me which one to use, which makes it impossible to automate. This wouldn’t be an issue if you could specify it on the command line, but apparently ( https://certbot.eff.org/docs/using.html#certbot-command-line-options ) there is no option available for that. Why? That would be a very handy option whenever Certbot fails to find it on its own.

Thanks in advance for any help!


#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.