Certbot as python library?

Is certbot available as a library, or are there any plans for that?

We're looking at using Azure Application Gateway, so we're going to have to do something to auotomate this. Calling certbot from a script is doable, but then we have to make .pfx files etc. Ideally this is something I'd like to do from python using certbot and pyOpenSSL then use the azure sdk to upload them and other bits to set up the DNS challenge.

Also renewals look like they might be trickier to automate using the command line options as well (though I confess I've not dug into that too much yet)

I think that there are some good options (other than Certbot) if you're looking for Azure automation.

The PowerShell library Posh-ACME might be a good choice, since I think that will allow you to do everything end-to-end for your Azure Application Gateway in a single PS script?

Certify the Web might be a good choice as well, because it has built-in support for automated deployment to Azure Key Vault, which I think connects with Azure Application Gateway.

There are a few other Windows options in the client list as well.

Certbot does have an acme Python library you can use, but I think there's probably better tools for the job in this case.

3 Likes

Thank you. I had seen Posh-ACME but it didn't do renewals from what I could see (ok so we could just get another one each time).
We use Certify The Web now and I wasn't aware that would push to key vault so that's very useful to know. Will look into that.
We also have to do end-to-end encryption as well probably which adds to the fun but going to investigate self-signed certs for the internal hop.

1 Like

A "renewal" is just an easy shorthand for "get another certificate for the same names"; there's really nothing protocol-wise that makes something a renewal rather than a "new" certificate. It's just handy to have that shorthand for a lot of things, and of course many ACME clients have a concept of storing your configuration so that a "renewal" happens the same way as the last time.

2 Likes

I think Posh-ACME does have renewals so one doesn't have to go through the New-PACertificate steps every time:

Submit-Renewal will only return PACertificate objects for certs that were actually renewed successfully. So the typical template for a renew/deploy script might look something like this.

Set-PAOrder example.com
if ($cert = Submit-Renewal) {
    # do stuff with $cert to deploy it
}

Though if Certify makes the job easier, one may as well go with that.

1 Like

@petercooperjr I thought a renewal is slightly different, in that Let's Encrypt then doesn't send reminders saying the old one is about to expire? This is extrapolating from guesses about which emails I see coming in to the shared email we use for this (when we've had to add a domain and so have to get a new one) so I should probably check my assumptions.

You're correct of course. A renewal, in the sense of "another certificate was created with the same set of domain names", are tracked differently for rate limit purposes, and you get a reminder email if a renewal certificate wasn't created near the end of a cert's expiration. But in terms of what's technically happening, of what your ACME client requests to the server and the certificate it gets back, there's no difference between a "new" certificate and a "renewal" certificate. It's just that some policies that look at them differently, if that makes sense.

1 Like

And to make it even a little bit more explicit: it doesn't matter how you renew (by the "renew option" of an ACME client or if you use the "get me a new certificate" option), as long as the contents of the certificate (hostnames) are the same, Let's Encrypt will see the certificate as a renewal and won't send an e-mail.

"Trick" question to @NigelM: if you somehow manage to confuse your ACME client and mess up the hostnames of a certain certificate and consequentially use the "renew" feature of your ACME client, will you receive an e-mail from Let's Encrypt when the original certificate is close to expiry? :wink:

Thanks for the clarification. As I say I've not had the time to fully investigate - had enough trying to ingest a host of Azure information this last few weeks. From what you say @Osiris I assume we would get an email as that is triggered by matching on hostnames and if they are messed up then it's seen as a new one?

Absolutely correct! 

1 Like