Hi,
I was wondering if there is a option or possibility to automaticly renew a certificate once a certificate is about to expire. that it will automaticly renew the certificate and be added to the services who are making use of this certificate.
A number of ACME clients already do this assuming you have set them up properly for your particular configuration. Which client were you referring to? And which OS and service were you trying to configure?
3 Likes
Well currently we do use any client, currently I had a customer where the VPN was not working after some diging I found out that the certificate with expered and was not changed to the new certificate this cause the customer some problems ofcourse because they could not work from home... Routing and Remote is the service. I am just searching for something that could potential help our company to make this automaticly we run this on a application server.
It would be a rare case indeed where a Let's Encrypt cert should be used for a VPN server. It isn't that it can't be done, but generally it shouldn't.
Let's Encrypt certs are obtained using client software. The large majority of client software--certainly the most popular client software--lets you specify arbitrary commands to run after obtaining (and renewing) a cert. These commands can make copies of the files, restart services, and otherwise do what's needed to make use of the new cert.
8 Likes
There are VPNs that run over TLS, so it's not impossible that it could be relevant or useful for those! (although perhaps many VPNs should ideally be configured in a different way that doesn't rely on publicly-trusted certifications)
5 Likes
Sure, including the very popular OpenVPN. But, at least as I understand it, you wouldn't generally want to use a cert from a public CA to identify the server. But I'll admit I'm far from an expert here.
4 Likes
I ran a PaloAlto Global Protect VPN on LE certs for years because no one else wanted to deal with it. Automated renewals and everything. Totally doable.
4 Likes
This sounds like Windows' Routing and Remote Access service, is that right? If so, have a look at CertifyTheWeb.
6 Likes
Sure! Let's Encrypt is all about automation, especially renewal.
However, you shouldn't be asking this question to Let's Encrypt. Because even if Let's Encrypt could automatically renew any certificate ever issued, they wouldn't. How would Let's Encrypt know if you even are still using the certificate? And if they would renew every certificate, how would they get the renewed certificate to you?
So the idea is that the person (or preferably the application) that got the certificate in the first place is also responsible for renewing the certificate. Because "renewing" is the same as "getting a brand new certificate signed, but with the same contents except for the dates".
So ultimately it's your job to set up the automatic renewal.
6 Likes