Understanding certbot renew


#1

Hello everyone,

I am new to SSL and letsencrypt so I have created a certificate manually in my desktop ubuntu16.04 to understand the process, then uploaded the certificates to my server and all went smoothly. I feel safe doing things this way and it would be awesome if there was a way to automate this, I mean using a desktop or another server to generate all certificates and then upload them in the correct servers without giving root access to certbot. I know this is hard work and maybe not even safe so I will just close my eyes and trust certbot for now :slight_smile: ( maybe this should even be a discussion for another thread or not even a thread at all )

So I have decided to go for certbot after understanding the manual process. Once again everything went smoothly. I also tried to --dry-run and --force-renew and certificates were renewed without any problem. Now what I find really weird is that I had to change my Apache config and the certificates still renew when I think they were not supposed to.

My config is the following:

  1. Nginx passes the requests to Apache
  2. Apache was serving /var/www/domain.com
  3. certbot was configured this way: certbot certonly --webroot -w /var/www/domain.com -d domain.com -d www.domain.com --non-interactive
  4. certbot would try to create /.well-known/etc…
  5. certbot will try to request this file through http://domain.com/.well-known/etc…
  6. to create the certificate i have tested this with --dry-run and everything was making sense
  7. now i have changed Apache to serve /var/www/domain.com/public
  8. the renew is still working??? how? the /.well-known/ is being created in a place where it is not visible by public… I really don’t get this…

The documentation of lets encrypt is very good in general but I feel that most people will install certificates without any clue of what they are doing. I think it would increase even more the confidence of all users if the idea was explained step by step and try to give more options for cerbot not have root access but still be automated ( but again i don’t know if this is possible ).

And I must say that this initiative is excelent and concratulate the letsencrypt team.

Awesome job! :slight_smile:


#2

Hi @ivo,

That “magic” is because validated authorizations have a lifetime, previously was 60 days and since a week ago the lifetime is 30 days, so, doesn’t matter where is your document root because Let’s Encrypt boulder didn’t try to validate your domain again as it has a valid authorization for it… for 30 days.

Once the validated authorization expires… in the same situation you would get an error and your cert won’t be renewed.

Cheers,
sahsanu


#3

Thanks for the reply @sahsanu

Does that mean that if I always renew a valid certificate the test won’t be made ever again?


#4

@ivo, no, it means that the first time you issued a certificate it was validated and this validated authorization will be valid for 30 days. If you renew your cert during those 30 days there is no need to revalidate you domain but it doesn’t extend the validated authorization. if you try to renew the cert after the 30 days it will need to be revalidated and your domains will get a new lifetime validation of 30 days… and so on.

Don’t know if I explained it very well :wink:

Cheers,
sahsanu


#5

@sahsanu thanks again for your answer. So a valid authorization will last 30 days and a certificate 90 days. To renew I need a valid authorization. A valid authorization is only extended with this test so after 30 days to renew authorization I will need to make the test again. Is that it? I had no idea about this valid authorization it’s not mentioned anywhere I saw. Is it in the documents?

Thanks for your help. If it works like you said it makes sense and I will have to fix it after 30 days :stuck_out_tongue:


#6

@ivo,

I don’t know what you mean by test. The first time you want to issue a certificate, Let’s Encrypt needs to validate that you own the domain(s) so it uses a challenge, for example the http challenge, it puts a file with a specific content inside ./well-known/acme-challenge/ dir inside your domain document root. Let’s Encrypt knows whath is the file that should try to reach and the content of this file, if Let’s Encrypt can get this file from its side that means that you have proved that you control that domain and Let’s Encrypt has validated it and issues a cert for your domain.

Let’s Encrypt saves that authorization for your domain and keeps it for 30 days. If for whatever reason you want to renew your cert just 5 days after you issued the first one, Let’s Encrypt won’t try to reach your domain again to review the specific file in ./well-known/acme-challenge/ dir, as the authorization is still valid it will issue a new cert for your domain but as it has not validated again, the lifetime authorization for your domain is 25 days.

The certificates are valid for 90 days and Let’s Encrypt recommends to renew them after 60 days so if something goes wrong you still have 30 days to fix any issue so if you try to renew your cert 60 days after you issued it, the validated authorization has expired and Let’s Encrypt will try to prove that you still control the domain and will perform again the same procedure… check the file on ./well-known/acme-challenge/ so once checked you have a new valid authorization for 30 days and Let’s Encrypt will be able to issue a new cert for you.

There is no need to perform any test nor other action to revalidate your authorization, just issue your cert, and renew it when you want.

If you are worried because you issued your certificate and after that you changed the document root, then the command certbot renew will place the challenge in the wrong dir, to solve this you could edit the file /etc/letsencrypt/renewal/yourdomain.conf and change in this file the old document root with the new one so certbot renew command will use the right path to place the challenge.

You can read this post from @jsha (Let’s Encrypt boulder engineer) Failed validation limit, validation IP addresses, and authorization lifetime and this one Expiry of valid authorizations reduced from 60 days to 30 days where he announces that valid authorizations have been reduced from 60 to 30 days.

Cheers,
sahsanu


#7

@sahsanu thank you very much :slight_smile:

I now know exactly how certbot works. At least the most important parts as a certbot user :slight_smile:

Cheers and thanks once again,
Ivo


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.