Re-run Letsencrypt Client installs on existing installations?


#1

Let’s say you followed instructions in documentation at https://letsencrypt.readthedocs.org/en/latest/using.html#installation and installed Letsencrypt at /etc/letsencrypt.

Then you setup and obtained SSL certificates that are saved to /etc/letsencrypt/live/domainname.com/ directory.

But if you re-ran install again, will it override all settings in /etc/letsencrypt and wipe out the existing saved SSL certificates saved at /etc/letsencrypt/live/ ? and their keys and cert directories ?

If it is wiped out, maybe Letsencrypt client install routine should be smart enough to detect if there’s live existing config and SSL certificates, keys etc in /etc/letsencrypt back them up or take that into account ?


#2

The patch I’m working on now will change the current behavior.

Currently, all requests from running the client are treated as independent and so it will obtain a completely new cert and save it in a different place (you’ll have something along the lines of domainname.com-1 and domainname.com-2 directories, one for each time you ran the client, with separate private keys and separate certs). The process will also create a new private key, and it will update the web server config to use the new cert, wherever it’s applicable, in place of the old one.

My patch will do a “superset detection” and prompt you to replace the old cert with the new one. However, that will just be done by updating the symlinks; the old cert won’t be deleted, but anything that pointed at the symlink for the old cert will now point at the symlink for the new cert. And probably we will use the same private key. In any case, the web server configuration files won’t be changed. This is also called “treat as renewal” and responds to LE client issue #411.


#3

sweet @schoen sounds like a great improvement :smile:

But I was referring to re-running the same commands again as in these that setup the actual /etc/letsencrypt directory and structure initially. If these where re-ran, would they override or wipe existing contents in /etc/letsencrypt. Sorry for not clarifying my question

virtualenv --no-site-packages -p python2 venv
./venv/bin/pip install -r requirements.txt acme/ . letsencrypt-apache/ letsencrypt-nginx/

Split "Issuance and Renwal" into Policy and Technical categories
#4

I thought most of the contents of /etc/letsencrypt were created as a result of running the client, not as a result of the pip install command. I don’t imagine it would harm the existing /etc/letsencrypt.


#5

thanks for the clarification :slight_smile: