How to force the certificate to expire?

I have 3 servers, I created a letsencrypt wildcard certificate and verified it in cloudflare.

I’m writing a bash script that should renew the certificate, ssh to all the servers and place the certificate in the appropriate location then restart the web servers.

I need to see what’s the output of

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.example.com' -d example.com

when the dns certificate expires and I need to test and see if my bash script runs correctly. If I run this command now, the certificate hasn’t yet expired so I’m going to be asked two questions, so it’s not going to be the same output if the certificate expires.

I need to create a scenario that I can use to test my script.

2 Likes

I use the following shell function to get the expiry time expressed in seconds since the epoch. After that it is just simple integer math with the current datetime also expressed in the same format.

getexptime() {
   date -d "$(openssl x509 -noout -enddate -in "$1" | cut -d= -f 2-)" +%s
}
2 Likes

So this returns the expiry date, perfect thank you so much! I also need to know what happens when I run the auto renew, I need to simulate it.

Like do I need to write yes? do I need to connect the cloudflare’s api? you know, I haven’t found a decisive answer on how to renew dns wildcard so I need to run certbot to see the output in the terminal and see what actions need to be taken.

I wouldn’t recommend running certbot like this. Certbot is meant to be run on it’s own (if I’m not mistaken). The idea is that necessary steps before, during or after the issuing/renewing of the certificate are ran by certbot self. It has multiple options which allow commands and/or scripts to be run on different times in the renewal process.

Especially for the manual plugin this is required: when using --manual without the required “hooks”, certbot will ask you tasks and questions about the required TXT records and require manual input. The idea is to use scripts in those “hooks”, so certbot can run without any interaction by the user.

See this part of the certbot documentation: https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

There are also other hooks like --pre-hook, --post-hook and --deploy-hook.

Hi @lynob

I think that's the wrong way.

Standard: Renew certificates if they are max. 30 days valid. If something goes wrong, the client should send a mail, an alert, something else.

If the certificate is already expired, that's too late.

Your code should warn early enough.

Guys I’m not going to create a warning system, that’s a default feature of letsencrypt

I want to create a bash script that connects to cloudflare and add the txt records needed.

For that I need to parse the output of certbot renew command so that I know what actions to take.

No you don't. Please read my post above about hooks. certbot output is NOT meant to be parsed.

Then the status of the old certificate isn't relevant.

PS: And the correct place to start your script ... is the hook.

1 Like

It is if he/she wants to implement automated renewal and wants to test the "does this certificate needs renewal or not" function.

In any case, you can't force a certificate to expire: a certificates "Not after" date and time is an essential part of the certificate and is signed by the signing private key. This cannot be altered.

1 Like

Then only the certificate and a small parsing is required.

My own client checks that:

certificate is 2 days valid
certificate is -10 days valid

All < 30 (or another value of that parameter) -> renew.

Works :wink:

2 Likes

hallo

how to work the system ???

a script get a time and auto renew ???

Don’t reinvent the wheel: certbot renew can already run before and after scripts.

Cron command (run as root):
certbot renew --cert-name EXAMPLE.COM --manual --preferred-challenges http,dns --manual-auth-hook /root/auth-hook --manual-cleanup-hook /root/auth-hook-clean --deploy-hook /root/auth-hook-deploy --manual-public-ip-logging-ok --staple-ocsp

Put the files from here in /root/
Replace YOUR_TOKEN_HERE with your Cloudflare API token
I’ve tinkered with this script till it worked for me. Hopefully, it works for you

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.