Configure renewal to use existing key without editing (fragile) systemd configuration file

I’m using certbot 0.31.0 on Ubuntu 16.04. I enabled automatic renewal using systemd a few months ago and today it renewed and I realised that it generated a new key in the process. This new key invalidated my DNS DANE records, and I would like to avoid this. I would therefore like to configure the automatic certificate renewal to use the same key so that it does not invalidate DANE. Apparently I can change the systemd service file in /lib/systemd/system/certbot.service, but if I update certbot this is liable to be overwritten. Instead it seems appropriate to use the renewal configuration in the [renewalparams] section of /etc/letsencrypt/renewal/attackllama.com.conf. However, I have no idea if it is possible to configure certbot to use the existing key using this file - is there documentation somewhere with supported options for this file? Is there some other way to configure LetsEncrypt to use the same key in a way that would survive certbot client software updates?

I know I can configure a post renew hook for updating DNS but this runs into the problem that cached DNS records will have the wrong DANE TLSA records until a few TTLs after the renewal.

1 Like

If you look at the command line options of certbot, you’ll find the --reuse-key option.

You shouldn’t modify your systemd service file: that’s just for the global renewal. If you want to change anything, you could indeed try to modify the renewal configuration file, but that’s not documented in any way and I’d recon not “”“officially”"" supported (as far as anything is officially supported :stuck_out_tongue:).

I’d recommend re-running the certbot command which issued the certificate in the first place, but now with the --reuse-key command. Certbot should put the reuse_key option in the configuration file. If you’d like, you could of course try to edit the configuration file by hand anyway, it’s just a boolean variable: reuse_key = True in the renewalparams section.

1 Like

That did it! I ran certbot renew --reuse-key --force-renewal and reuse_key = True appeared in the configuration file as you said. Thanks for your help!

1 Like