Certbot Renewal Clarification

mayesca · February 28, 2019, 2:39pm

Hi, so before anything, I understand this question is slightly peculiar in that its more theoretical; As you can see from the answers at the bottom of this post, I have not used certbot yet. This is due to the following.

tls-alpn-01 challenge is unsupported via the client (cannot open up port 80 and I’m not sure about requesting a cert using the DNS challenge over port 443)
Our ansible version is currently 2.3 and the “acme_challenge_cert_helper” Ansible module is new in v2.7 (I do not have the access to upgrade our version)
https://docs.ansible.com/ansible/latest/modules/acme_challenge_cert_helper_module.html#acme-challenge-cert-helper-module

So I’m more just trying to gather a framework and plan for how I want to implement automating requesting, generating, and renewing our certs.

QUESTION
If I am able to obtain a certificate by fulfilling the tls-alpn-01 challenge via a task using the Ansible module above, will I be able to renew the cert via certbot even though the tls-alpn-01 challenge is not supported? I’m not sure if the whole challenge validation process is started for renewal or not and I can’t seem to find any direct answers.

I literally just started learning about SSL/TLS Certificate validation last week so please bear with me. If there is any additional information that would help in this inquiry please let me know.

My domain is: N/A

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS/RHEL7

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Will be the latest version

Osiris · February 28, 2019, 2:52pm

Could be me, but I'm not seeing any question?

mayesca · February 28, 2019, 2:55pm

Sorry about that, my “question” got posted before I was done editing it. It should be up now.

Osiris · February 28, 2019, 3:00pm

Correct, certbot doesn't support the tls-alpn-01 challenge.

That's unfortunate. So you're not running a public site then?

The DNS challenge isn't "over" port 443. It's through the DNS system. It depends on how you can communicate to your DNS API. That might be over port 443. But that isn't set in stone.

There is a Let's Encrypt module for Ansible 2.3: https://docs.ansible.com/ansible/2.3/letsencrypt_module.html Perhaps you can use it with the DNS challenge, as it also doesn't support the tls-alpn-01 challenge and you said port 80 isn't an option.

mayesca · February 28, 2019, 3:23pm

We are running a public site but only allow certain IPs to the website for external testing purposes and are required to block port 80 at the firewall level. I’m assuming certbot does not support a custom port option?

Does the whole challenge fulfillment process get executed for renewing a cert via certbot?

schoen · February 28, 2019, 11:32pm

Certbot does, but the Let's Encrypt CA doesn't!

Yes, you have to repeat the challenges. So @Osiris's suggestion about DNS challenges may be helpful in your situation.

mayesca · March 4, 2019, 4:05pm

Ok thank you very much!

system · April 3, 2019, 4:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help renewing certificates Help	3	342	June 22, 2024
Cannot renew cert: DEBUG:acme.challenges:tls-alpn-01 was not recognized Help	8	3203	September 2, 2018
Renewal : another client-lacks-sufficient-authorization Help	4	973	September 27, 2018
Bypass http or dns challenge while using certbot Help	48	848	November 23, 2024
Action required: Let's Encrypt certificate renewals Help	3	1447	February 19, 2019

Certbot Renewal Clarification

Related topics