Modify renewal file to include more parameters

pryrios · March 11, 2019, 12:08pm

Hi all,

I have several sites running with certbot. I have recently started using Cloudflare first without the proxy/CDN system on. But, for security reasons, I would like to have the cloudflare proxy/CDN activated.

I have installed dns-cloudflare plugin and made a dry-run for my domain and it has worked perfectly. Command was as follows:

sudo certbot renew --cert-name="pryrios.chasr.org" --dry-run --dns-cloudflare --dns-cloudflare-credentials /path/to/cloudflare.ini

Now I would like automated renewal process to work with this so that when system runs: certbot renew it will work. I thought that maybe updating manually the renewal config file it would work, but I have no clue on how to go about it. Renewal file looks like this:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /path/to/certs_folder
cert = /path/to/cert.pem
privkey = /path/to/privkey.pem
chain = /path/to/chain.pem
fullchain = /path/to/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = <ACCOUNT_KEY>
server = https://acme-v02.api.letsencrypt.org/directory

I think I can change authenticator from “apache” to “dns-cloudflare” but I have no idea on how to tell it where the cloudflare credentials are stored. I am also worried on updating manually this file as the certbot documentation does not recommend to do so.

I am aware that generating a new certificate using both apache and dns-cloudflare would probably created a new renewal config file that would suite my needs, but I would prefer not to generate a new certificate as I will need to replicate this with other more importante sites (this is just a test).

Another option would be to stop automated renewal for this site and create a cronjob that runs the above command minus the --dry-run but I would also pretty much avoid this as certbot is already managing automated renewals.

Any idea on how to got about this?

Thanks!

EDIT: Seems that only by running the command to reissue (or renew) the certificate, renews it, reinstalls it and modifies the configuration, so I have ended up doing this. It works perfectly clean, although reissuing the certificate may not be the best option in all the cases (due to limits, I think).

_az · March 11, 2019, 12:42pm

You figured it out - a live issuance is needed in order to coax Certbot into updating the configuration.

Hopefully one day there’s a better way …

pryrios · March 11, 2019, 1:04pm

Yup, searching a little bit more I eneded up on:

and:

github.com/certbot/certbot

Option to update renewal configuration

opened 10:55PM - 04 Apr 18 UTC

closed 04:07PM - 01 Jun 23 UTC

jmorahan

feature request area: renewal needs-update

As discussed at https://community.letsencrypt.org/t/how-to-regenerate-renewal-co…nfig-file/58628 It might be useful to have a method to safely update the renewal configuration for an existing certificate without actually renewing the certificate. Something like this maybe? `certbot certonly --reconfigure-only --cert-name example.com --apache -d example.com` So basically the existing interface for updating the config for an existing certificate, but with an additional option to not actually issue a cert immediately. Instead it could attempt a test issuance against the staging endpoint to verify that the updated settings would succeed in renewing the certificate, then write the updated options (but with account details for the live endpoint) to the existing renewal configuration file.

So ill luck modifying the configuration files. Just for completion sake, I think that changing the file to:

# renew_before_expiry = 30 days 
version = 0.31.0 
archive_dir = /path/to/certs_folder 
cert = /path/to/cert.pem 
privkey = /path/to/privkey.pem 
chain = /path/to/chain.pem 
fullchain = /path/to/fullchain.pem 

# Options used in the renewal process 
[renewalparams] 
authenticator = dns-cloudflare
installer = apache 
account = <ACCOUNT_KEY> 
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_credentials = /home/pryrios/.secrets/cloudflare.ini

may do the trick, but nonetheless I prefer certbot to manage this file as instructed on documentation. (changes are to authenticator and adding dns_cloudflare_credentials param).

system · April 10, 2019, 1:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.