a cloud server crashed and had to be rebuilt shortly after i created the initial letsencrypt certificates. I have the certs, but not the contents of /etc/letsencrypt or /opt/letsencrypt - is there anyway to renew based solely on the existing csr, crt and key? I do have HSTS turned on, so was hoping that this major mistake of not having multiple/any backups was not going to bite me too hard.
after that moment of “oh sh**” i found the backup containing everything i think i need from the /etc/folder. If there is a way around this it may still help someone else who makes a mistake, so i welcome any comments.
As long as you haven’t hit the rate limit for issuance, you can always just re-run certbot to issue again. If you hit the rate limit, and your server crashes, and you don’t have backups, you just have to wait a week for the rate limit to expire.
OK thank you, these backups won’t be lost again, unless i lose about 5 machines
FWIW, we regularly backup our certbot certs to offline storage.
most of our cert handling is via client that stores certs via sqlite into a portable datastore, then provisions them onto machines as needed.
That is similar to what i’m thinking longer term. We use salt for provisioning, so the output will likely get updated in the master pillar data(replicated to each minion) and then run the state on each server according to its role and committed to a locked repository via gpg.
That sounds good.
Our use-case is specifically for hosting infinite domains via ssl, without configuring a server. To do that, I built a client/cert-manager for my team – https://github.com/aptise/peter_sslers which is incredibly insecure by design.
We basically spin up ‘public’ instances for talking to ACME as needed, and save the data to postgres. we have a
private secured admin instance on our LAN that has a dashboard and api to orchestrate all the ACME work and can serve certificates (or cache them into redis). Instead of nginx, we use the openresty variant which can pull a ssl cert from memory/redis/external-api.
I’m slowly migrating our core domains onto the same certificate manager – except the internal ones use a sqlite datastore. an automated task detects new certificates, backs up the datastore, and provisions new certs to other machines. (the core domains are hardcoded into our conf; the openresty stuff works on wildcard domains which are handled differently)
aha, yes, i’m really only handling N webservers x N (mostly 2) domains all of which need to go into the salt pillar files. Infinite domains would force another solution to my issue. It could be done but may not be tenable.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.