If a certificate is renewed what happens to old certificate?


#1
  1. In case a certificate is renewed before expiry, what happens to the old copy of the certificate? Can it still be used till it expires?
  2. If I move the directories under /etc/letsencrypt/ to say, /home/centos/LE how do I make certbot renew certificates from the new directory? I tried following command:

sudo certbot certonly --cert-path /home/centos/LE/live/cert.pem -n --force-renewal --standalone -d bg.ssldemo.xyz --standalone-supported-challenges http-01

This renewed the certificate but put it under /etc/letsecrypt/live/ instead of /home/centos/LE/live

The bg.ssldemo.xyz.conf file under the /home/centos/LE/renewal directory had the correct entries pointing to entries under /home/centos/LE/live/cert.pem and other files.


#2

When certbot renews a certificate, it adds a number of new files in /etc/letsencrypt/archive/example.com. This directory contains all certificates you’ve requested with that particular certbot installation. The files are named cert<N>.pem, where <N> is a number that’s incremented for each renewal. certbot also maintains the /etc/letsencrypt/live/example.com directory, which contains symlinks to the most recent certificate in the archive directory.

To summarize: The old copy is kept around in /archive. However, it is highly recommended to just point your server software to the relevant file in /live and let certbot take care of managing this for you.

I would recommend avoiding this and rather embracing the default directory structure in /etc/letsencrypt. You’re pretty much on your own when it comes to managing renewals otherwise. A better solution - if the files absolutely need to be in /home/centos/LE - would be to create symlinks to the relevant directory in /live. Alternatively, you could copy (not move) the files from /live to the target directory in a renew hook (i.e. whenever the certificates are actually renewed - take a look at --post-hook and --renew-hook).

It’s hard to miss something when making manual modifications to /live or /archive, so I would generally stay away from that.


#3

Thanks for the response.

I have a use case where I pre-generate certificates on a central server and its not until a later time that the certificate is provisioned for a device. The central server is also responsible for renewing the certificate. It is each device’s responsibility to monitor it’s cert expiry and poll the central server for a renewed cert once it detects cert expiry.

I was thinking about the case where the central server renews the certificate on it’s local file system but the device has yet not asked the central server for the renewed certificate. In this case would the cert currently installed on the device’s web server be valid? Will the browser complain?

W.r.t using /etc/letsencrypt as a default directory, what if I move the certificate files and key to a database and then just before renewing put them back under /etc/letsencrypt. This should be fine right?


#4

No, that’s fine. You can have multiple certificates for the same domain and they’ll all remain valid as long as they haven’t expired or been revoked.

You’ll have to re-implement the directory/file structure exactly the way certbot has implemented it, including the /archive directory with the numbering scheme. It’s very easy to miss something that will cause issues down the line.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.