Bash Script for Renewing Certificate Files?

When first creating and installing the certificates using “certbot-auto” I ran into the problem of

“You will need to install OS dependencies, configure virtualenv, and run pip install manually. … “

I really did want to get into the hassle of installing new packages so I went looking for an alternative and found “https://gethttpsforfree.com” which let me enter my data and then generated the certificate files for me. I next configured everything manually using the generated files and although it took some serious time, everything is now working the way it should.

Next came setting up for the renewal process and you guessed it. I am back to the “You need to …” mode for “certbot-auto”. I then tried “letsencrypt-auto” for renewal and was greeted with same fun message. I next tried the bash script “getssl” thinking if I specified the names and paths to the certificate files in “getssl.cfg”, it would check and update them when required if I ran “getssl –a”. No such luck. It wanted to generate its own new certificate files first.

Does anybody know of a simple bash script that will allow me to check the file expiration dates and update them if needed after I modify it to reflect my file names and paths? I do not need it to generate new files, only update the files I have.

Alternatively, is there a URL that shows you how to do a renewal manually, step by step, that I can use to build my own bash script that would automate the process?

Well after wasting a lot more time I finally decided to bite the bullet and install virtualenv and pip and I but I am still getting.

“Sorry, I don’t know how to bootstrap Certbot on your operating system!

You will need to install OS dependencies, configure virtualenv, and run pip install manually.”

I suspect this is because there is still some sort of special configuration that needs to be done for virtualenv and perhaps pip as well. At this point I am thinking of throwing in the towel and saying the heck with it. There is a good chance I could eventually figure it out, but I also suspect that I will never remember all the twists and turns I had to take to get there even with copious notes. That in turn will mean I will have to spend more time on the next rebuild to at least partially reinvent the wheel. I am not sure it is worth it.

Begin Rant

I am also not sure why any group that wants to encourage the use of certificates would design an installation and renewal script that requires particular flavors of Linux or requires non standard dependencies that are not available by default in all Linux distributions. It does not seem to make much sense.

End Rant

I am also not sure why any group that wants to encourage the use of certificates would design an installation and renewal script that requires particular flavors of Linux or requires non standard dependencies that are not available by default in all Linux distributions. It does not seem to make much sense.

Currently there are 40 million active certificates so your point doesn’t really stand up

if you are not happy with the ACME protocol then you can pay for long lived certificates (1 year) from traditional CAs

Andrei

Certbot is only one of literally dozens of ACME clients that can interact with Let’s Encrypt. I suppose you’ve found this page with a listing of other options: https://letsencrypt.org/docs/client-options/

If you’ve got some coding experience, you could certainly modify one of those, or write your own for your particular use case. You might even open source it and submit it for others in your situation! The ACME protocol is an open IETF standard, and I believe the current version in use is draft 5. https://tools.ietf.org/html/draft-ietf-acme-acme-05

Note that there are a few differences in how Let’s Encrypt implements this standard for now. Eventually I believe the idea is that they will implement the IETF approved standard once that is completed January 2018. The current deviations from the standard can be found here. https://github.com/letsencrypt/boulder/blob/release/docs/acme-divergences.md

I didn’t understand the context of this at first, but currently I’m not aware of a way that any existing Let’s Encrypt client lets you import externally-generated certificates. This could certainly be a useful feature, but most existing clients are focused on managed certificates that they themselves obtained.

Importing existing certificates isn’t usually considered such a high priority because it’s relatively straightforward to generate new ones.

Edit: behind the scenes, certificate renewal always involves generating new certificates. There is no way in the X.509 PKi that a certificate authority can do something to extend the lifetime or validity of an existing certificate. So renewal is implemented in every client as requesting a new certificate that applies to the same domain names that the old certificate did. This also means that every “renewal” interaction with the Let’s Encrypt CA is going to involve an ACME client that can speak the full ACME protocol to the CA to request the new certificate.

1 Like

@jared.m: Thank you for the constructive response. The last real programming I did was over 25 years ago with Quick Basic and Turbo C++. Now I just do enough bash scripting to accomplish what I want - mostly for server maintenance tasks etc. Based on what Schoen has said however, about starting over, I will look at some of the other possibilities, perhaps PHP.

@schoen: Thanks for the lesson. I was not aware that renewal was actually creating a new certificate. I was under the impression that renewal was just that, renewal of an existing certificate and to generate a second certificate when you already had a one was bad form. Now that you have straightened me out, I will just delete or revoke what I have and start over. It might make life a lot easier.

Thanks again to both of you.

Small update: Draft-07 is the most recent ACME draft at the time of this thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.