My web server is (include version): Not relevant
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: not relevant VPS with full root access
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, not for Cerbot, there is Webmin but not used for certbot
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 0.40.0
Hi, I tried to switch over from dehydrated script (which sometimes causes problems with bind and I would like to have a second option) for cert renewal to certbot. I'm running into problems with changing TLSA records with certbot.
With the dehydrated script and the option PRIVATE_KEY_RENEW="no" the cert files after renewal are not identical but if I create the TLSA records this record stays the same. Which means TLSA record does not have to be renewed every time there is a new ceritficate created (which means around every 2 months). Changing TLSA every time a certificate is renewed is a bad process in my opinion because there are at least hours until until a full day until DNS records are renewed and in this time TLSA / DANE is not valid).
I tried to to the same with certbot but I noticed that with every renewal process the generated TLSA
record based on certificate changes. I thought that maybe the option --reuse-keys would help. But it does not seem to help. I'm still getting new TLSA records every time based on the generated certificates.
Am I doing something wrong or is this by design with certbot? If this is by design it would be nice if this can be updated automatically via options because for validation DNS is already used.
Renew job running on root user hourly (auto generated except the --reuse-key part:
test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --reuse-key
Options for domain:
renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live//cert.pem
privkey = /etc/letsencrypt/live//privkey.pem
chain = /etc/letsencrypt/live//chain.pem
fullchain = /etc/letsencrypt/live//fullchain.pem
Options used in the renewal process
rsa_key_size = 4096
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-rfc2136
dns_rfc2136_credentials = /etc/letsencrypt/renewal/rfc2136.ini
renew_hook = systemctl reload nginx apache2 webmin dovecot postfix