Issue Certificates From Multiple Providers


#1

I have certbot working properly using the set up below but I’m interested to know whether it’s possible to have a backup certificate provider as per Scott Helme’s article here.

While this probably seems overkill it raises an interesting point of reliance on Let’s Encrypt and what happens if they are offline for an extended timeframe.

As per the output below I get a warning that I already have a unexpired certificate for my domain and do I want to overwrite it, the answer to which is no I’d like a second certificate ideally stored in the same/similar location to my Let’s Encrypt certificates.

I’ve seen the options for --work-dir , --logs-dir and --config-dir would this be enough to separate the different directories or do I need a different machine with a clean setup for the other provider?

My domain is: clanrose.org.uk

I ran this command: certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.certbot_credentials -d *.clanrose.org.uk -d clanrose.org.uk --server ‘https://api.buypass.com/acme/directory

It produced this output:
Plugins selected: Authenticator dns-cloudflare, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/clanrose.org.uk.conf)

My web server is (include version): nginx 1.15.5

The operating system my web server runs on is (include version): Ubuntu Server 18.10

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


#2

You can use --duplicate to create the certificate.

Does Buypass allow wildcards?


#3

Hi @mnordhoff,

Thanks for the quick response, I hadn’t even thought about whether Buypass offered wildcard certificates.

Having had a look through their technical documents it looks like ACME v2 is currently under test, whether that means the certificates issued aren’t fully valid in the same sense as the LE staging environment or there are other issues/limits I’m not sure, I’ll put a note on the forums later to try and find out.

Thanks for the --duplicate option as well, I’ll look into that as well later on.


#4

Hi @mnordhoff,

Had a reply back from buypass today saying the test endpoint would produce a valid wildcard certificate but it won’t be trusted by browsers, so it’s similar to the LE staging environment.

It looks like they are still developing it though as I got an error through that was incorrectly flagged which they’ve now changed. The error was due to CAA records on my domain which now flag a CAA rejection error.

The duplicate option works as you suggested and I’ve generated a backup single domain certificate using their live v1 endpoint.

Thanks for your help.