Manual cert with custom csr to be renewed with dns-route53


#1

So… I have cert i generated a couple months back using a csr from an existing app:
./certbot-auto --manual --preferred-challenges dns certonly --csr /home/jsmith/mysub.csr -d mysub.mydom.org

which gave me:
0000_cert.pem 0000_chain.pem 0001_chain.pem files in the cwd where i ran certbot-auto from. Awesome. I used the certs. they worked great.

I recently (today) got dns-route53 working with certbot and i’ve renewed a couple certs with it. certs that were already in /etc/letsencrypt and they were detected and renewed automagically with just:
./certbot-auto certonly --dns-route53 -d mysub2.mydom.org
./certbot-auto certonly --dns-route53 -d mysub3.mydom.org

Awesome!

My question is how do i convert mysub.mydom.org cert i created via a manual method with a custom csr? The pem files were just placed in the CWD. How do i make it renewable? Be part of the /etc/letsencrypt dir… Do i create all the paths and files that’s similar to mysub2.mydom.org which has it’s own live/ and archive/ dirs etc… in /etc/letsencrypt? i’m ok with that if i knew what all those dependencies are. Is there a better way?

Thanks for any help and thanks for letsencrypt!


#2

certbot-auto can do a lot of things automagically.
However, when used with CERTONLY most of that magic is held back…

Take a look at:


#3

You should find a file called /etc/letsencrypt/renewal/mysub.mydom.org .

In there, it will list:

authenticator = manual

You may be able to change that to

authenticator = dns-route53

I’m not sure whether this is the official way to do it, but you can also just run the certonly command again on the original domain, this time specifying the dns-route53 authenticator rather than the manual authenticator, and it should update your renewal parameters:

certbot-auto certonly -a dns-route53 -d mysub.mydom.org

From your question I understood that you no longer want to use the CSR right? Or do you want to use the same CSR/private key every time?


#4

Certbot unfortunately doesn’t enable automatic renewal for certificates created with --csr. :slightly_frowning_face: Do you absolutely need to use it?


#6

I couldn’t find a renewal file for that particular cert (mysub.mydom.org) in renewal/ dir but i suppose i could create one if that’s ok too. However, if I can simply run:
./certbot-auto certonly -a dns-route53 -d mysub.mydom.org
and be able to renew and convert to dns-route53 that way then i’ll just do that. It will be sometime before i can test as the site is not ready to be messed with since it’s operational with the current manual cert now. I’ll def. report back when it’s done. Thanks!

re: the CSR, in my case I don’t have to use the same CSR so the solution above will probably work for me. There may be cases with other specialized software however that would force them to use a specific CSR.


#7

Thanks. I would use renew instead but certbot currently does not support renew for a specific cert (-d). it will attempt to renew all your certs. Once I’ve converted all my manually generated certs to dns-route53 then i’ll try renew again.


#8

no… so i’m going to try _az’s solution. Thanks.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.