Certbot: how can I renew if staging certs exist, but I want production certs?

Hello,
after having hit the issuance limit a few times, I decided that I should use the staging servers until I’m sure that something fully works (I’m working on automated deployments, not just on random personal websites, so I redeployed many times, and if something went wrong I often lost the previous certs).

So far so good, but I’ve got a grievance with certbot (or I don’t know which option I should use): if I launch it with “–staging”, then i launch it without such options when the staging certs already exist, it will refuse to create a new certificate (because it’s not yet due for renewal), unless I pass –force-renewal, but it won’t even exit with an error.

Now, this is a bit of an hassle; if I ask certbot to create or renew certs without the ‘staging’ options, I expect that, at the end of the operation, I get production, valid certificates; or, if I can’t get them, at least that certbot exits with a nonzero status to signify an error.

Such behaviour is problematic for automated systems, is there any way around?

Example:
suppose that I’m working on a new system. The “–staging” flag is set. Once development is done, I need to add a “–force-renewal” flag, make sure that all the existing systems are deployed - which can be difficult, maybe some system is not available at some moment - then I need to remove the flag (otherwise at each subsequent deployment I’ll renew a cert and hit the issuance limit). It seems to retain a state which isn’t useful IMHO.

Full example log follows:

(mycertbot)root@pilar:/tmp# certbot --config-dir /tmp/conf/ --work-dir /tmp/work/ --logs-dir /tmp/logs/ certonly --preferred-challenges=http --staging --standalone -n -m registrazioni@franzoni.eu --agree-tos -d pilar.franzoni.eu
Saving debug log to /tmp/logs/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None

Broadcast message from root@pilar
	(unknown) at 17:00 ...

The system is going down for reboot in 540 minutes!
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pilar.franzoni.eu
Waiting for verification...
Cleaning up challenges
Non-standard path(s), might not work with crontab installed by your operating system package manager

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /tmp/conf/live/pilar.franzoni.eu/fullchain.pem
   Your key file has been saved at:
   /tmp/conf/live/pilar.franzoni.eu/privkey.pem
   Your cert will expire on 2018-02-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /tmp/conf. You should make a secure
   backup of this folder now. This configuration directory will also
   contain certificates and private keys obtained by Certbot so making
   regular backups of this folder is ideal.
(mycertbot)root@pilar:/tmp# certbot --config-dir /tmp/conf/ --work-dir /tmp/work/ --logs-dir /tmp/logs/ certonly --preferred-challenges=http --standalone -n -m registrazioni@franzoni.eu --agree-tos -d pilar.franzoni.eu
Saving debug log to /tmp/logs/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate

-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /tmp/conf. You should make a secure
   backup of this folder now. This configuration directory will also
   contain certificates and private keys obtained by Certbot so making
   regular backups of this folder is ideal.
(mycertbot)root@pilar:/tmp# certbot --version
certbot 0.19.0

Show:
certbot certificates

Also, just a general observation: The /tmp folder generally doesn’t survive a reboot.

I believe you can do this with the --server option by explicitly adding the --server https://acme-v01.api.letsencrypt.org/directory option, and then Certbot will do the right thing with respect to ACME accounts. @bmw, could you confirm that this is right?

@rg305 your command shows the certs ; i could grep for INVALID and delete the cert if it’s there, but this would bind me to the output of a usually interactive command, which could mean that certbot updates might break my code.

I know what tmp is, I’m generating dummy certificates to send a reproducible POC here, so anyone could basically copypaste my examples without interfering with a server’s operations.

@schoen that doesn’t seem to work:

(mycertbot)root@pilar:/tmp# certbot --config-dir /tmp/conf/ --work-dir /tmp/work/ --logs-dir /tmp/logs/ certificates
Saving debug log to /tmp/logs/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: pilar.franzoni.eu
    Domains: pilar.franzoni.eu
    Expiry Date: 2018-02-14 15:00:49+00:00 (INVALID: TEST_CERT)
    Certificate Path: /tmp/conf/live/pilar.franzoni.eu/fullchain.pem
    Private Key Path: /tmp/conf/live/pilar.franzoni.eu/privkey.pem
-------------------------------------------------------------------------------
(mycertbot)root@pilar:/tmp# certbot --config-dir /tmp/conf/ --work-dir /tmp/work/ --logs-dir /tmp/logs/ certonly --server https://acme-v01.api.letsencrypt.org/directory  --preferred-challenges=http --standalone -n -m registrazioni@franzoni.eu --agree-tos -d pilar.franzoni.eu
Saving debug log to /tmp/logs/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate

-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------

For a different reason—if you want to renew a certificate that isn’t less than 30 days from expiry, you should also add --force-renewal to the command line.

1 Like

@schoen please, read my original request. I need have that work unattended, it should work in a cluster deployment system. I know how to do it manually. I could even contribute a patch, if such functionality is considered useful.

1 Like

Oh, sorry about that! I definitely got confused about what you were looking for.

I think contributing a patch could be helpful here.

I’ve run into the same problem before too, when setting up a playbook for automatic deployment of a server. There is no idempotent, non-interactive, command to make Certbot only request a new cert when:

  • There is no existing corresponding certificate lineage, OR
  • There is an existing corresponding certificate lineage, but the newest cert is up for renewal, OR
  • The requested characteristics of the new certificate, are different from the ones of the currently existing cert

By “requested characteristics”, I mean the use of the --staging flag (what @alanfranz is talking about), but also the --rsa-key-size and --must-staple flags. You can’t change the presence or values for these flags when requesting a new cert for an existing certificate lineage, without including the --force-renewal flag.

So I hope that’s also something that can be changed in the future :slight_smile:

2 Likes

You’re correct that Certbot doesn’t currently have this functionality. I created https://github.com/certbot/certbot/issues/5249 to consider changing this behavior, but I think this would be a significant change to Certbot so it’s something we should think about carefully.

In the meantime, your options are:

  1. Use --force-renewal when you’re ready to switch to production certs.
  2. Delete the staging certificates before issuing production certs.
  3. Instead of using --staging, use --dry-run which obtains staging certificates, but doesn’t save them. You can only do this if you’re not using the staging certificates for anything including having Certbot automatically configure they be used with your webserver.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.