First, and foremost, thanks for this type of service. I’ve got my home machine setup with a public web server for (mostly) personal use. Up until I started using this service, I was using only a self-signed cert. Mostly a pain for people I introduce to my site, but, hey, I can now skip that particular instruction. Thanks!
My question revolves around the best practice setup for renewing certs in the case that my ISP decides to change my IP at whatever random interval.
Since certificates rely on IPs being the same, I need to find a way to safely satisfy getting a certificate from LE when my IP changes within a reasonable time frame (I’m thinking a poke at my router every 5 minutes), and if it changes, run the job to force a refresh on the cert.
Getting my public IP is simple enough, and I can handle that internally on my LAN or use http://checkip.dyndns.com/. My issue is the ‘not getting banned’ thing. How should I setup cron to do a weekly check, as well as run this custom script to force an update when a new IP is detected?
I’m running a brand new install of Debian 8.6 (Because I destroyed my last server with an unwanted distro upgrade) and have successfully got HTTPS going. Now, just the periodic updates so I don’t need to think about it. :]
I’ve installed the Certbot but I don’t see it has actually installed anything in any cron that I can see in /var/spool/cron
Certificates match DNS names, not IPs. As long as the DNS name you’re authenticating against matches the IP you are on at the time you make the request, you should get a proper working certificate.
By default certbot stays unconfigured as there are a lot of ways to configure it. Once you have the certificate set up initially, you can configure a renewal run daily that will use the saved authentication method settings.
Had a long post, deleted it. After asking my questions before I deleted, I think I get it.
So the certs have zero reliance on any IP address I’m on. I can move that cert between machines on my LAN, or, onto any machine exposed to the net, so long I move the DNS entry to point to the public IP address that new machine is listening through, at any time, and the cert will work until it expires?
Although way overboard and not needed for my current setup, but theoretically, I’d be able to have one machine make the request for all my certs (Which amounts to one right now), then somehow transfer the certs (rsync/scp/sftp) to required machines instead of having multiple machines making cert requests?
If that is the exact case, then I guess it just boils down to a proper setup in cron to get my server to make the requests for the cert updates.
Yes. You'd probably want to use a certbot --renew-hook or --post-hook to invoke a script that copies the certificates around, logs in to the servers and reloads any daemons that need it, etc.
Other Let's Encrypt clients may have better integration with stuff like that.
