New "certbot" client and ``--csr`` option?


I don’t see the --csr option in the documentation for the new certbot client. Is this still supported?

For sites obtaining certificates for SMTP servers with DANE TLSA records it is important to be able to renew without changing the public/private keypair, just obtain a new certificate for the same keys when doing automated rollover.
Periodic changes of the keys are best performed under human supervision, so that appropriate DNS changes can be made at approximately the same time and verified.

It would be great if this were documented. With the existing client an overview of the process is at:

The rationale is explained at:


Certbot using csr and private key Apache and Postfix/Dovecot
Let's make Let's Encrypt easy and simple

--csr is still supported, yes:

./certbot-auto --help certonly
Checking for new version...
Requesting root privileges to run certbot...
   /root/.local/share/letsencrypt/bin/letsencrypt --help certonly
  certbot-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

optional arguments:
  -h, --help            show this help message and exit
                        config file path (default: None)

  Options for modifying how a cert is obtained

  --csr CSR             Path to a Certificate Signing Request (CSR) in DER
                        format; note that the .csr file *must* contain a
                        Subject Alternative Name field for each domain you
                        want certified. Currently --csr only works with the
                        'certonly' subcommand' (default: None)
  --cert-path CERT_PATH
                        Path to where cert is saved (with auth --csr),
                        installed from or revoked. (default: ./cert.pem)


Thanks, I started to RTFS and found that “–csr” is there and availabe with “certonly” as you say. The CSR needs to have exactly the requested domains listed as subjectAltNames, and the code seems to support either DER or PEM format (tries DER, then tries PEM).

Any chance this could be in the HTML documentation, and not just in the “–help” output? It seems like useful information to expose to users. My DANE survey has identified ~1000 DANE SMTP domains hosted at ~400 MX hosts. While this is small by comparison with the volume of certificates issued by LE, the numbers are gradually increasing, particularly because uses LE certs and supports DANE.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.