Is certbot available as a library, or are there any plans for that?
We're looking at using Azure Application Gateway, so we're going to have to do something to auotomate this. Calling certbot from a script is doable, but then we have to make .pfx files etc. Ideally this is something I'd like to do from python using certbot and pyOpenSSL then use the azure sdk to upload them and other bits to set up the DNS challenge.
Also renewals look like they might be trickier to automate using the command line options as well (though I confess I've not dug into that too much yet)
Thank you. I had seen Posh-ACME but it didn't do renewals from what I could see (ok so we could just get another one each time).
We use Certify The Web now and I wasn't aware that would push to key vault so that's very useful to know. Will look into that.
We also have to do end-to-end encryption as well probably which adds to the fun but going to investigate self-signed certs for the internal hop.
A "renewal" is just an easy shorthand for "get another certificate for the same names"; there's really nothing protocol-wise that makes something a renewal rather than a "new" certificate. It's just handy to have that shorthand for a lot of things, and of course many ACME clients have a concept of storing your configuration so that a "renewal" happens the same way as the last time.
@petercooperjr I thought a renewal is slightly different, in that Let's Encrypt then doesn't send reminders saying the old one is about to expire? This is extrapolating from guesses about which emails I see coming in to the shared email we use for this (when we've had to add a domain and so have to get a new one) so I should probably check my assumptions.
You're correct of course. A renewal, in the sense of "another certificate was created with the same set of domain names", are tracked differently for rate limit purposes, and you get a reminder email if a renewal certificate wasn't created near the end of a cert's expiration. But in terms of what's technically happening, of what your ACME client requests to the server and the certificate it gets back, there's no difference between a "new" certificate and a "renewal" certificate. It's just that some policies that look at them differently, if that makes sense.
And to make it even a little bit more explicit: it doesn't matter how you renew (by the "renew option" of an ACME client or if you use the "get me a new certificate" option), as long as the contents of the certificate (hostnames) are the same, Let's Encrypt will see the certificate as a renewal and won't send an e-mail.
"Trick" question to @NigelM: if you somehow manage to confuse your ACME client and mess up the hostnames of a certain certificate and consequentially use the "renew" feature of your ACME client, will you receive an e-mail from Let's Encrypt when the original certificate is close to expiry?
Thanks for the clarification. As I say I've not had the time to fully investigate - had enough trying to ingest a host of Azure information this last few weeks. From what you say @Osiris I assume we would get an email as that is triggered by matching on hostnames and if they are messed up then it's seen as a new one?