Using certbot -csr for DANE TLSA records

Hi all,

I used certbot in standalone mode to set up TLS certs for a mailserver running postfix. The basic approach is outlined here:

Let’s Encrypt certificates for mail servers and DANE – Part 1 of 2
Let’s Encrypt certificates for mail servers and DANE – Part 2 of 2

Once I had added a TLSA record for port 25 in the DNS record, DANE validated for smtp on that server.

For the renewals, I would rather use the approach described in part 2 of the above in which the existing CSR is used so that the TLSA hash value remains the same and I won’t have to update the DNS record manually every three months or so.

However, I don’t entirely understand the behaviour of -csr.

I run this command:

certbot certonly \
  --standalone \
  --agree-tos \
  --email root@mydomain \
  --renew-by-default \
  --domains mx2.mydomain \
  --csr /usr/local/etc/letsencrypt/csr/0007_csr-certbot.pem \

It seems to run fine, no errors. But it also does not indicate whether or not the certificate is about to expire and needs to be renewed; IOW, whether it is actually going through the renewal process.

I see these three files in the working directory:


Is it now simply a matter of having my script copy 000_cert.pem and 0000_chain.pem to resp.


Am I missing something here?


Using the --csr option is quite minimal at best. This is already known with the developers as seen from a sample selection of currently open issues:

Unfortunately, this indeed currently isn’t very well documentated.

The only thing you can do at this moment, I guess, is using a script run after certbot to move the generated certificate and chains (I think 0001_chain.pem is the usual fullchain.pem…) to another location. I think you should move all the generated files, because you might get in trouble when you run certbot a second time: the filenames may change…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.