Certbot Renewal Clarification

#1

Hi, so before anything, I understand this question is slightly peculiar in that its more theoretical; As you can see from the answers at the bottom of this post, I have not used certbot yet. This is due to the following.

So I’m more just trying to gather a framework and plan for how I want to implement automating requesting, generating, and renewing our certs.

QUESTION
If I am able to obtain a certificate by fulfilling the tls-alpn-01 challenge via a task using the Ansible module above, will I be able to renew the cert via certbot even though the tls-alpn-01 challenge is not supported? I’m not sure if the whole challenge validation process is started for renewal or not and I can’t seem to find any direct answers.

I literally just started learning about SSL/TLS Certificate validation last week so please bear with me. If there is any additional information that would help in this inquiry please let me know.

My domain is: N/A

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS/RHEL7

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Will be the latest version

#2

Could be me, but I’m not seeing any question? :question:

#3

Sorry about that, my “question” got posted before I was done editing it. It should be up now.

#4

Correct, certbot doesn’t support the tls-alpn-01 challenge.

That’s unfortunate. So you’re not running a public site then?

The DNS challenge isn’t “over” port 443. It’s through the DNS system. It depends on how you can communicate to your DNS API. That might be over port 443. But that isn’t set in stone.

There is a Let’s Encrypt module for Ansible 2.3: https://docs.ansible.com/ansible/2.3/letsencrypt_module.html Perhaps you can use it with the DNS challenge, as it also doesn’t support the tls-alpn-01 challenge and you said port 80 isn’t an option.

#5

We are running a public site but only allow certain IPs to the website for external testing purposes and are required to block port 80 at the firewall level. I’m assuming certbot does not support a custom port option?

Does the whole challenge fulfillment process get executed for renewing a cert via certbot?

#6

Certbot does, but the Let’s Encrypt CA doesn’t!

Yes, you have to repeat the challenges. So @Osiris’s suggestion about DNS challenges may be helpful in your situation.

1 Like
#7

Ok thank you very much!

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.