I’m using certbot 0.31.0 on Ubuntu 16.04. I enabled automatic renewal using systemd a few months ago and today it renewed and I realised that it generated a new key in the process. This new key invalidated my DNS DANE records, and I would like to avoid this. I would therefore like to configure the automatic certificate renewal to use the same key so that it does not invalidate DANE. Apparently I can change the systemd service file in
/lib/systemd/system/certbot.service, but if I update certbot this is liable to be overwritten. Instead it seems appropriate to use the renewal configuration in the
[renewalparams] section of
/etc/letsencrypt/renewal/attackllama.com.conf. However, I have no idea if it is possible to configure certbot to use the existing key using this file - is there documentation somewhere with supported options for this file? Is there some other way to configure LetsEncrypt to use the same key in a way that would survive certbot client software updates?
I know I can configure a post renew hook for updating DNS but this runs into the problem that cached DNS records will have the wrong DANE TLSA records until a few TTLs after the renewal.