How i can make task for renew certificate?

Hi. I have ubuntu server and i make new certificate:

./acme.sh ----renew -d ladesol-tambov.com -d '*.ladesol-tambov.com' --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

  1. What should I add to the cron?
  2. After renewing the certificate, will the fingerprint be changed?
    I sign an RDP file with this certificate, so I wonder if after 3 months it will cease to be valid?

acme.sh usually installs a cron job by itself. You can check whether it's there:

crontab -l

Yes, the certificate fingerprint will change because its contents (such as the expiry date) will have changed.

From what little I know about Windows, I don't think it makes any sense to sign RDP files with Let's Encrypt certificates.

You wouldn't gain any extra trustworthiness from using a public CA like Let's Encrypt, and you have to manually trust the certificate on every machine in the network anyway as it wouldn't be trusted by default. This is made especially more painful because you have to repeat the process at least every 90 days.

Maybe it's better to do the standard Windows thing: generate a longer-term certificate for RDP signing, and trust that.

1 Like

Thank you !

WildCart to?

1 Like

Yes, renewing any kind of certificate will cause its fingerprint to change.

Can you show how you do this?
Was there a guide that you followed?

Thanks

rg305, https://docs.microsoft.com/ru-ru/windows-server/administration/windows-commands/rdpsign

sry for Russian link.

1 Like

The English version was easy to find:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rdpsign

OK, so now I know how you do this.
I'm still not sure why you do this.
And how using a publicly signed cert to sign an .rdp file is any better than just providing the .rdp file via an encrypted link that is being secured by that publicly signed cert at the site of that cert.

Signing an RDP file removes the unreliable source warning when opening a file.

1 Like

OK, now I think I understand how and why you sign an .rdp file.

Have you been able to fully automate the rdpsigning process in with your cert renewals?

I can set new certificate for my server: https://www.win-acme.com/manual/advanced-use/examples/rds

But If the fingerprint changes every 3 months, it is not possible to automate the signature of the RDP file.

I'll have to sign it somehow, and then distribute a new rdp file to all clients. On a local network, maybe i can automate with powershell and group policies, but by for external users I do not want to distribute a new shortcut every 3 months.

Perhaps the shortcut could be to an online file - which you can then update anytime.

Anything that can be done manually can be automated :slight_smile: