So… I have cert i generated a couple months back using a csr from an existing app:
./certbot-auto --manual --preferred-challenges dns certonly --csr /home/jsmith/mysub.csr -d mysub.mydom.org
which gave me:
0000_cert.pem 0000_chain.pem 0001_chain.pem files in the cwd where i ran certbot-auto from. Awesome. I used the certs. they worked great.
I recently (today) got dns-route53 working with certbot and i’ve renewed a couple certs with it. certs that were already in /etc/letsencrypt and they were detected and renewed automagically with just:
./certbot-auto certonly --dns-route53 -d mysub2.mydom.org
./certbot-auto certonly --dns-route53 -d mysub3.mydom.org
Awesome!
My question is how do i convert mysub.mydom.org cert i created via a manual method with a custom csr? The pem files were just placed in the CWD. How do i make it renewable? Be part of the /etc/letsencrypt dir… Do i create all the paths and files that’s similar to mysub2.mydom.org which has it’s own live/ and archive/ dirs etc… in /etc/letsencrypt? i’m ok with that if i knew what all those dependencies are. Is there a better way?
You should find a file called /etc/letsencrypt/renewal/mysub.mydom.org .
In there, it will list:
authenticator = manual
You may be able to change that to
authenticator = dns-route53
I'm not sure whether this is the official way to do it, but you can also just run the certonly command again on the original domain, this time specifying the dns-route53 authenticator rather than the manual authenticator, and it should update your renewal parameters:
certbot-auto certonly -a dns-route53 -d mysub.mydom.org
From your question I understood that you no longer want to use the CSR right? Or do you want to use the same CSR/private key every time?
I couldn’t find a renewal file for that particular cert (mysub.mydom.org) in renewal/ dir but i suppose i could create one if that’s ok too. However, if I can simply run: ./certbot-auto certonly -a dns-route53 -d mysub.mydom.org
and be able to renew and convert to dns-route53 that way then i’ll just do that. It will be sometime before i can test as the site is not ready to be messed with since it’s operational with the current manual cert now. I’ll def. report back when it’s done. Thanks!
re: the CSR, in my case I don’t have to use the same CSR so the solution above will probably work for me. There may be cases with other specialized software however that would force them to use a specific CSR.
Thanks. I would use renew instead but certbot currently does not support renew for a specific cert (-d). it will attempt to renew all your certs. Once I’ve converted all my manually generated certs to dns-route53 then i’ll try renew again.