How to force the certificate to expire?

lynob · June 19, 2020, 1:54pm

I have 3 servers, I created a letsencrypt wildcard certificate and verified it in cloudflare.

I’m writing a bash script that should renew the certificate, ssh to all the servers and place the certificate in the appropriate location then restart the web servers.

I need to see what’s the output of

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.example.com' -d example.com

when the dns certificate expires and I need to test and see if my bash script runs correctly. If I run this command now, the certificate hasn’t yet expired so I’m going to be asked two questions, so it’s not going to be the same output if the certificate expires.

I need to create a scenario that I can use to test my script.

bruncsak · June 19, 2020, 3:32pm

I use the following shell function to get the expiry time expressed in seconds since the epoch. After that it is just simple integer math with the current datetime also expressed in the same format.

getexptime() {
   date -d "$(openssl x509 -noout -enddate -in "$1" | cut -d= -f 2-)" +%s
}

lynob · June 19, 2020, 4:12pm

So this returns the expiry date, perfect thank you so much! I also need to know what happens when I run the auto renew, I need to simulate it.

Like do I need to write yes? do I need to connect the cloudflare’s api? you know, I haven’t found a decisive answer on how to renew dns wildcard so I need to run certbot to see the output in the terminal and see what actions need to be taken.

Osiris · June 19, 2020, 4:55pm

I wouldn’t recommend running certbot like this. Certbot is meant to be run on it’s own (if I’m not mistaken). The idea is that necessary steps before, during or after the issuing/renewing of the certificate are ran by certbot self. It has multiple options which allow commands and/or scripts to be run on different times in the renewal process.

Especially for the manual plugin this is required: when using --manual without the required “hooks”, certbot will ask you tasks and questions about the required TXT records and require manual input. The idea is to use scripts in those “hooks”, so certbot can run without any interaction by the user.

See this part of the certbot documentation: https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

There are also other hooks like --pre-hook, --post-hook and --deploy-hook.

JuergenAuer · June 19, 2020, 5:46pm

Hi @lynob

I think that's the wrong way.

Standard: Renew certificates if they are max. 30 days valid. If something goes wrong, the client should send a mail, an alert, something else.

If the certificate is already expired, that's too late.

Your code should warn early enough.

lynob · June 19, 2020, 6:05pm

Guys I’m not going to create a warning system, that’s a default feature of letsencrypt

I want to create a bash script that connects to cloudflare and add the txt records needed.

For that I need to parse the output of certbot renew command so that I know what actions to take.

Osiris · June 19, 2020, 6:13pm

No you don't. Please read my post above about hooks. certbot output is NOT meant to be parsed.

JuergenAuer · June 19, 2020, 6:14pm

Then the status of the old certificate isn't relevant.

PS: And the correct place to start your script ... is the hook.

Osiris · June 19, 2020, 6:15pm

It is if he/she wants to implement automated renewal and wants to test the "does this certificate needs renewal or not" function.

In any case, you can't force a certificate to expire: a certificates "Not after" date and time is an essential part of the certificate and is signed by the signing private key. This cannot be altered.

JuergenAuer · June 19, 2020, 6:22pm

Then only the certificate and a small parsing is required.

My own client checks that:

certificate is 2 days valid
certificate is -10 days valid

All < 30 (or another value of that parameter) -> renew.

Works

domyssl · June 26, 2020, 10:10am

hallo

how to work the system ???

a script get a time and auto renew ???

AllanTaylor314 · June 26, 2020, 11:42am

Don’t reinvent the wheel: certbot renew can already run before and after scripts.

Cron command (run as root):
certbot renew --cert-name EXAMPLE.COM --manual --preferred-challenges http,dns --manual-auth-hook /root/auth-hook --manual-cleanup-hook /root/auth-hook-clean --deploy-hook /root/auth-hook-deploy --manual-public-ip-logging-ok --staple-ocsp

Put the files from here in /root/
Replace YOUR_TOKEN_HERE with your Cloudflare API token
I’ve tinkered with this script till it worked for me. Hopefully, it works for you

system · July 26, 2020, 11:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.