Is auto renew possible when supplying your own CSR?

I am providing my own CSR file, which means my certs are not output into the typical /etc/letsencrypt directories. I run this command:

letsencrypt certonly --webroot --csr MY-OWN-CSR.csr -w /var/www/html -d

(you’ll also notice I’m running an older version of certbot, known as letsencrypt, because I’m on an old version of Ubuntu)

So, my certs are output into the local directory. I’m wondering, since the certs are output to local directory instead of the standard /etc/letsencrypt directories, then will letsencrypt be able to do auto-renewal, or will it be unable to find the existing certs to tell whether they are expired?

Also, outputting the files into the local directory just seems like a bad place to keep them… I could have hundreds or thousands of certs, all sitting in this single directory. If letsencrypt renewal will work by finding the certs in the local directory, is there an way to tell it to look in a different directory, so that I can organize my certs a little better?

Unfortunately, you can’t use the renew feature of certbot when using --csr. It does not use the /live/ or /archive/ directories, nor does it generates a renewal configuration file in /renewal/.

Two options:

  • Use the certbot command from inside a script and call that script in a cron job
  • Use --renew-hook on the command line to point to a script which will take care of all the moving of certificates and reloading the webserver et cetera and use that certbot-auto command (including the --renew-hook) in a cron job.

Do note however: you will need to script your own “Is it time for renewal yet?” kind of function. If you run certbot-auto only once per 2 months (the advised renewal time of 60 days) and for some reason the renewal wouldn’t work, you would be faced with an expired certificate one month later…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.