Modify renewal file to include more parameters


#1

Hi all,

I have several sites running with certbot. I have recently started using Cloudflare first without the proxy/CDN system on. But, for security reasons, I would like to have the cloudflare proxy/CDN activated.

I have installed dns-cloudflare plugin and made a dry-run for my domain and it has worked perfectly. Command was as follows:

sudo certbot renew --cert-name="pryrios.chasr.org" --dry-run --dns-cloudflare --dns-cloudflare-credentials /path/to/cloudflare.ini

Now I would like automated renewal process to work with this so that when system runs: certbot renew it will work. I thought that maybe updating manually the renewal config file it would work, but I have no clue on how to go about it. Renewal file looks like this:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /path/to/certs_folder
cert = /path/to/cert.pem
privkey = /path/to/privkey.pem
chain = /path/to/chain.pem
fullchain = /path/to/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = <ACCOUNT_KEY>
server = https://acme-v02.api.letsencrypt.org/directory

I think I can change authenticator from “apache” to “dns-cloudflare” but I have no idea on how to tell it where the cloudflare credentials are stored. I am also worried on updating manually this file as the certbot documentation does not recommend to do so.

I am aware that generating a new certificate using both apache and dns-cloudflare would probably created a new renewal config file that would suite my needs, but I would prefer not to generate a new certificate as I will need to replicate this with other more importante sites (this is just a test).

Another option would be to stop automated renewal for this site and create a cronjob that runs the above command minus the --dry-run but I would also pretty much avoid this as certbot is already managing automated renewals.

Any idea on how to got about this?

Thanks!

EDIT: Seems that only by running the command to reissue (or renew) the certificate, renews it, reinstalls it and modifies the configuration, so I have ended up doing this. It works perfectly clean, although reissuing the certificate may not be the best option in all the cases (due to limits, I think).


#2

You figured it out - a live issuance is needed in order to coax Certbot into updating the configuration.

Hopefully one day there’s a better way …


#3

Yup, searching a little bit more I eneded up on:

and:

So ill luck modifying the configuration files. Just for completion sake, I think that changing the file to:

# renew_before_expiry = 30 days 
version = 0.31.0 
archive_dir = /path/to/certs_folder 
cert = /path/to/cert.pem 
privkey = /path/to/privkey.pem 
chain = /path/to/chain.pem 
fullchain = /path/to/fullchain.pem 

# Options used in the renewal process 
[renewalparams] 
authenticator = dns-cloudflare
installer = apache 
account = <ACCOUNT_KEY> 
server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_credentials = /home/pryrios/.secrets/cloudflare.ini

may do the trick, but nonetheless I prefer certbot to manage this file as instructed on documentation. (changes are to authenticator and adding dns_cloudflare_credentials param).