Why does the "certbot certificates" not show the manually copied certificates?

Since we are quoting ourselves, allow me to join in.

To your credit, you seem to have figured that out.

You could still benefit from a new topic, as this one has not only run off the rails with the personality conflicts, but more importantly, its title does not describe the actual objective.

You are looking for deployment strategies, which isn't necessarily off-topic for discussion here, but is not a function of the Let's Encrypt CA, and definitely not certbot.

How you best accomplish your goal will depend on your target environments and the available (and permissible) tools. Shell scripting some curl calls to the DNSimple API may do what you need.

4 Likes

I have already replied to your post with some questions about or with regard to misconceptions from your part. E.g. DNSimple does not issue certificates.

I haven't seen a reply from your end to my (second) post with more clarification.

My assumption from the misconceptions I've gathered earlier is that you don't have adequate knowledge of how the ACME process works and how Certbot, as an ACME client works. I don't mean this as a personal attack on your person: it's complicated stuff.

However, I feel the need to make sure there are no misconceptions to begin with, because it doesn't make much sense to try to build upon existing/continuing misconceptions.

Therefore I'd like to ask you if you've read my second explanation post and if it was clear and you understand now how the dns-01 challenge using DNSimple and other challenges work.

1 Like

Reading the docs @linkp posted it looks like DNSimple can acquire and renew free Let's Encrypt certs on your behalf (or paid ones from Sectigo). It then offers an API to retrieve them from their own servers. You must use them as your DNS provider as they use the DNS Challenge to authenticate.

I'm not sure how that is any easier than, say, Certbot, but it looks easy enough to setup. The API to get the certs requires some programming skills which you wouldn't need if using some other ACME Client directly on your own server.

3 Likes

@linkp The only reason why I asked this here is that the certificates are being issued by Let's Encrypt.

Why wouldn't it make sense to do what I'm trying to do? You even said yourself that what I'm looking for is a deployment strategy. Why wouldn't it make sense to ask DNSimple to take care of the renewals then download the certificates and place them somewhere in the server? If certificates are not automatically renewed, this is what you need to do anyway, in every server.

Now, I understood, alone basically, that certbot is not meant to actually interact with the DNSimple API in the way I need (i.e. download existing certificates).

Anyway, what I will probably need is indeed to use the DNSimple API directly Certificates API | DNSimple API v2. So, thanks for pointing this out.

There were different issues at the beginning, yes. I wrote that in my post too. But I had one main problem.

So, again, one problem was due to my lack of knowledge of certbot. This was clear. I thought certbot could be used to download certificates from DNSimple through the DNSimple API. That's why I thought we have the dns-simple plugin. We already talked about this. No need to tell me again that this is not what this plugin is intended for.

1 Like

Why do you "need" to do it this way? We may have other suggestions for unusual use cases that might be easier.

If you have strong programming skills using their API might not be difficult. But, I still think using an ACME Client on your own server would be easier. These can acquire and renew certs using the DNS Challenge for DNSimple so you can still get wildcard certs or certs with individual names. The certs then exist as files on your server so no extra copy needs to be done.

Certbot, acme.sh, and lego are just 3 other ACME Clients that support DNSimple DNS Challenges

3 Likes

Ah, I didn't know that. I couldn't find that easily on the DNSimple website.

Well, OP is already working with Certbot. I think using the ACME API directly from Let's Encrypt makes more sense to me.

2 Likes

As someone who's been watching but not participating in this topic, I think the biggest "doesn't make sense" piece is that a DNS provider who isn't also acting as a CDN or web host would just get certs for your domain. I just don't see what good that does you. You still need to get those certs and tell your services to use them, and you still need to do that every 60-90 days. But the existing toolchain to do that is nonexistent--so you either need to do it manually, or you need to code something yourself to interact with DNSimple's API--certbot, as you now understand, just isn't designed to do that, nor is any other ACME client.

OTOH, if you just ignore the certs that DNSimple has, you can issue new ones on your own system, and there's lots of software already out there to do just that--including DNS validation via DNSimple. That seems to be a much simpler way of achieving the objective of "get a trusted cert that I can use on my server" than writing custom code to download it from somewhere else.

7 Likes

Because there is no ordinary expectation of a DNS service provider being the ACME client. The DNS provider is typically nothing more than a component used by the DNS-01 validation performed by the ACME client.

@danb35 has summed it up perfectly in the preceding reply, so I'll leave it at that.

4 Likes

Wouldn't DNSimple also have access to the private key? :thinking: I see the API has a "Retrieve a certificate private key" option.. :sob: It's obviously a very bad idea to have third parties have access to the private key if that isn't absolutely necessary.

Also:

Alternate names require a subscription to a Professional or Enterprise plan.

So even the most basic features of a certificate requires some kind of more expensive (I assume there's also something like "basic plan") plan.. For something that's absolutely free. And easy to get using Certbot directly..

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.