How to get certbot to just download?

bobfindlay · February 1, 2021, 3:14pm

Hi

I would like certbot to simply download certificates (if it doesn't already have them). It seems whatever I do, that certbot requests a new certificate. Is there a way of just downloading and then triggering a hook?

I've registered an acme account with my provider and told certbot about it.

I can login to a root shell on my machine (yes or no, or I don't know):

yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.11.0

JuergenAuer · February 1, 2021, 4:33pm

Hi @bobfindlay

Certbot is an ACME-client, so requesting a new certificate is expected.

But why do you need such a function?

If you have a log, you can use the certificate url.

If you have the serial number, you can use

https://acme-v02.api.letsencrypt.org/acme/cert/ + serialnumber

https://acme-v02.api.letsencrypt.org/acme/cert/039FA5A7471E5E979C7E4DD58DA267B03C20

to download a certificate.

The first url is the schema, the second url is the current forum certificate.

bobfindlay · February 1, 2021, 4:51pm

well, we have over 100 different certs on different machines running different software. I had high hopes for certbot automating it, but to be honest it's failed on every one I've tried for various reasons, so I'm resigned to doing the work by hand.

The certs are set to auto-renew, and I was hoping to at least have certbot dl the certificate and run a generic post-process to convert it to different formats, so that I could have a central repository of current certificates. Perhaps the only way to do that is a series of wgets, but then there's no knowledge as to if the certificate has been updated and therefore if anything needs to be done.

JuergenAuer · February 1, 2021, 5:07pm

I don't understand the problem.

If a certificate is created, the ACME client has to download the certificate.

Why doesn't that work? Fix that.

Downloading the certificate in a second step isn't required if the client works.

So you should fix the primary problem.

You can do that if you change your setup.

Read

create a new subdomain (sample: acme.yourdomain.com), then 302 redirects

http://yourfirstdomain.com/.well-known/acme-challenge/random-filename -> http://acme.yourdomain.com/.well-known/acme-challenge/random-filename

then you can run Certbot with the webroot acme.yourdomain.com and certonly on that machine.

Then all certificates are stored on acme.yourdomain.com and you can do what you want.

schoen · February 1, 2021, 5:28pm

You might want to look at --deploy-hook.

https://certbot.eff.org/docs/using.html

system · March 3, 2021, 5:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.