I don’t see the --csr option in the documentation for the new certbot client. Is this still supported?
For sites obtaining certificates for SMTP servers with DANE TLSA records it is important to be able to renew without changing the public/private keypair, just obtain a new certificate for the same keys when doing automated rollover.
Periodic changes of the keys are best performed under human supervision, so that appropriate DNS changes can be made at approximately the same time and verified.
It would be great if this were documented. With the existing client an overview of the process is at:
./certbot-auto --help certonly
Checking for new version...
Requesting root privileges to run certbot...
/root/.local/share/letsencrypt/bin/letsencrypt --help certonly
usage:
certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
optional arguments:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
config file path (default: None)
certonly:
Options for modifying how a cert is obtained
--csr CSR Path to a Certificate Signing Request (CSR) in DER
format; note that the .csr file *must* contain a
Subject Alternative Name field for each domain you
want certified. Currently --csr only works with the
'certonly' subcommand' (default: None)
--cert-path CERT_PATH
Path to where cert is saved (with auth --csr),
installed from or revoked. (default: ./cert.pem)
Thanks, I started to RTFS and found that “–csr” is there and availabe with “certonly” as you say. The CSR needs to have exactly the requested domains listed as subjectAltNames, and the code seems to support either DER or PEM format (tries DER, then tries PEM).
Any chance this could be in the HTML documentation, and not just in the “–help” output? It seems like useful information to expose to users. My DANE survey has identified ~1000 DANE SMTP domains hosted at ~400 MX hosts. While this is small by comparison with the volume of certificates issued by LE, the numbers are gradually increasing, particularly because https://mailinabox.email/ uses LE certs and supports DANE.