Duplicate certificates and certbot


#1

I am currently setting up my Nginx reverse proxies, maintained by me on 2 vServers, that each forward the http(s) traffic to a single Apache webserver, maintained by my webhoster.

Thus, I ended up with the following requirements for my certificates:

The private keys are different on each of these 4 systems.

My questions:

  1. Do I have to use the “–duplicate” option (https://certbot.eff.org/docs/using.html#command-line-options) for this use case?
  2. Does “–duplicate” have to be used as soon as two independent certificates need to be issued covering domains, of which at least one is identical?

If both questions are affirmed, I end up with these commands that will be executed on a fifth server:
/bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_02.csr --cert-path /srv/rsyncd88ub/ /bin/certbot certonly --duplicate --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_03.csr --cert-path /srv/rsyncd190ub/


#2

The --duplicate flag is only relevant for cert lineages managed by certbot, not those created with a pre-existing CSR.


#3

I see. Then, I execute the following commands a single time:
/bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/ecdsa_prime256v1_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_00.csr --cert-path /srv/rsyncd88/ /bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_01.csr --cert-path /srv/rsyncd190/ /bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_02.csr --cert-path /srv/rsyncd88ub/ /bin/certbot certonly --webroot -w /var/www/htdocs/ --csr /home/le/certbot/rsa_3072_03.csr --cert-path /srv/rsyncd190ub/

And, I will execute this command regularly via cron:
/bin/certbot renew --quiet


#4

I haven’t checked in a while (maybe things changed recently), but from what I remember using --csr means you’ll have to handle renewal yourself and certbot renew won’t work. You should be able to do a quick test with certbot renew --dry-run to confirm that.

To renew while using --csr, you’d basically run the certbot certonly ... command again.


#5

I’ll refrain then from using “certbot renew”. Does “certbot certonly” also detect whether the certificate is near expiry?


#6

The --keep flag will prevent certs being renewed early by certonly.


#7

Thanks for the info :slight_smile:. I ended up with this command:

( cd /home/le/certbot/netcup190 && /bin/certbot certonly --keep-until-expiring --no-self-upgrade --quiet --webroot -w /var/www/htdocs/ --csr /home/le/certbot/netcup190/ecdsa_prime256v1_00.csr --cert-path /srv/netcup190/ecdsa.pem --chain-path /srv/netcup190/ecdsa_intermediate.pem )


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.