How Certbot handles multiple server, eab-kid and eab-hmac-key in renewalparams?

Hi everyone

What I have

Several certs from two different issuers on the same server. Credentials (server, eab-kid and eab-hmac-key) to both issuers are written in /etc/letsencrypt/cli.ini. The credentials to the issuer that has the fewest certificates are commented out. When the renewal time comes, I am supposed to uncomment them, and comment out the others, and run the renewal once again just for that other issuer.

What I want

I think there should be a better way. For example, is it possible to have all the information required for the renewal of a given certificate stored somewhere with it, so that it gets picked up by certbot automatically? This way there's no need to pass the credentials via the arguments or cli.ini.

(I looked at /etc/letsencrypt/renewal/example.com.conf, and I can see the account ID under the renewalparams section. When I go to the matching account folder, I can see the meta, private_key and regr files. Can them combined act as credentials if I simply remove the server, eab-kid and eab-hmac-key from cli.ini?)

1 Like

I think eab-whatever are only needed when registering the account. So, it doesn't really matter.

I can't ask you to do certbot renew --dry-run because that will tell us nothing about the second issuer, it will try everything against Let's Encrypt staging.

3 Likes

Correct.

With regard to the use of cli.ini: it's not a good idea to use this file for changing variables. All of the options that can be used in cli.ini can also be used on the command line.

3 Likes

This is definitely true. And depending on the provider (Google and ZeroSSL in particular), the EAB credentials used to register an account may only be usable to register a single new account. Of the free ACME CAs that use EAB, I think only SSL.com allows you to reuse EAB creds.

4 Likes

While it's not good to change variables in these files, you can have multiple config files:

  1. Create multiple cli.ini files, and invoke Certbot with --config /path/to/cli.ini or -c /path/to/ini
  2. Certbot supports using --config-dir to change the default location from /etc/letsencrypt to something else (e.g. /etc/letsencypt-alt). That allows you to use the same binary/installation but on a completely different directory structure.

With either of those options, you can manage multiple cli.ini config files and minimize the options passed on the commandline to simply --config or --config-dir. When doing automated renewals, you just have a dedicated cron (or other scheduler) entry for each configuration.

4 Likes

Yes, that's possible, but why would you? It only makes things more complicated and, IMO, it doesn't solve anything.

1 Like

I think eab-whatever are only needed when registering the account. So, it doesn't really matter.

Sorry about the confusion. I swapped all three variables because I just got used to swapping all three because that worked. But I guess only swapping the server is required then.

Because of the way things are automated on my server, I can't make these command line customisations, not easily. Simply speaking, right now I have CRON call certbot renew and that's it. So is there a way to have the required config value (only the server value, apparently) picked up automatically? I can see it in regr.json inside the account folder that is linked to from within the renewal conf. Will that be picked up?

Not if it's in renewal.conf

4 Likes

If you're mixing multiple cli.ini files and you DON'T specify any --config or --config-dir options when renewing, this can only lead to many issues, as cli.ini values are overriding the renewal configuration files, as far as I know. And if renewals are working with just a single cli.ini files, for most it won't be the correct one.

The server option is stored in the renewal configuration file. But if an incorrect cli.ini is used, it could be overridden by cli.ini and thus be incorrect.

I'd like to urge you VERY strongly to reconsider your current setup..

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.