Token Validity for Renewal


#1

Hello,

First of all, just discovered Let’s Encrypt and I love it :slight_smile:

Please be indulgent with my questions as it might appears stupid to some, but I am just starting to get arond the Let’s Encrypt mechanics.

Two questions:

  1. I need to install certificates on an appliance (Netscaler, not to mention it). I have installed certbot on a CentOS VM, and generated a certificate with certonly and manual options. All is working great, but when I tried to renew the certificate (force-renew, also had to use standalone option else I was getting an error), it fails. Why ? Because while during creation I had time to configure the NetScaler with the validation token before pressing continue on the certbot side, renewal does not offer the same mechanic. The validation token changes, and as the NetScaler is still configured with the previous one, validation fails.

Is there a way to work around that ?

  1. Based on the previous result, I went with the second way to renew a certificate as described in the Let’s Encrypt documentation, using certonly with the same domain name and force-renewal option. Contrary to the renew option, I successfuly had a break point after the validation token was generated, which allowed me to change the NetScaler side… except that the validation token did not change !!

Is this normal ? Does it mean that If I use this method anytime before the certificate expiration, the validation token will not change ? Or is there a number of days before it expires (I read 30 days somewhere, but it was unclear) ?

Thank you,


#2

Let’s Encrypt may cache authorizations for a period of time, which saves you from doing the authz again. However, it’s not something you can rely on, and it definitely won’t be cached by the time the next renewal period rolls around.

What you want to do is enable Certbot to automatically deploy the new validation token to your Netscaler appliance.

This can be done using manual auth hooks.

A simple auth hook may look like:

#!/usr/bin/env bash
ssh root@netscaler "echo '${CERTBOT_VALIDATION}' > /path/to/netscaler/webroot/${CERTBOT_TOKEN}"

or it may be a full blown program that talks to some kind of Netscaler API.

Looks like somebody has written a Netscaler hook for dehydrated, which is an alternative to Certbot: https://github.com/ryancbutler/ns-letsencrypt / https://www.techdrabble.com/citrix/18-letsencrypt-san-certificate-with-citrix-netscaler-take-2 , but you can do whatever you want!


#3

Thanks for clearing up the cache authorization. I think I will start working on a script.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.