Wildcard certificate renewal

I already have a running certificate. After install acme.sh file . please guide me for below points. because website is already running in production and it will expire soon.

  1. should i need to create a new one or just renew will work.
  2. I need wildcard certificate, The script Support ACME v1 and ACME v2 , do i nned to provide ACME v2 or it will automatically create wildcard certificate.
  3. I also have service principal shold i need to regenerate or i can use those.

You’ll need to create a new one; acme.sh won’t “renew” a cert from certbot.

No, acme.sh should automatically use that.

I’m afraid I don’t understand the question.

Thanks danb35 , for your reply.

Let me try with the script. is there anything i need to setup for renew , as i can check there a command for renew as well. But for renew test can i execute renew command after creating the certificate or it will renew only few days before expiration.

acme.sh --renew-all
should try to renew all certs.
But it will only renew the ones within the last 30 days of cert life.
It does set up a cron job to automatically try to renew them all daily.

is there any way for testing … is renew working fine or not after creating the certificate and implement scheduling this

You can manually force a renewal as a test.
But that should not be necessary; If it got a cert it can and will renew it.
You should use a cert monitoring program to alert you that your cert is nearing expiration (if ever).
Registering an email address with LE will automatically provide that address “alerts”.
A very good third party tool for notifications is: https://keychest.net/

After executing issue command i got .cer and .key files in my .acme.sh folder. How we can use this certificate with domain. Do we manual upload certificate or deploy command will work.

Will this script attach automatically certificate with appGatewayHttpListener or we have manually do it.

You will need to do it manually. But only once.
The renewals will keep using the same file names in the same location.

rg305 can you please guide me on this… how i can upload ,or it is also manual first time …
also the issue command gives .cer and .key files.

If your site is already TLS enabled, you simply need to update the config to use the newly created files.
I can’t tell from reading through this topic thread if you already have TLS working nor what web server you are using nor what your domain name is…

@danb35 @rg305

My Domain is myaddressline.com.
I create a certificate and add this in azure app gateway. After renew command it create a certificate but did not reflect on site. DO i need to manual upload again for renew certificate.

I execute following commands :
./acme.sh --issue --dns dns_azure -d *.myaddressline.com
./acme.sh --install-cert --dns dns_azure -d *.myaddressline.com
./acme.sh --renew --dns dns_azure -d *.myaddressline.com --force

No.

First, confirm that you have a cert: ./acme.sh --list
If none then back to square one.

Otherwise, then do either:

  • update an existing cert used in your web server config
    [update which cert to use]
    or
  • install the new cert into your web server config
    [use cert - first time]

Where, and how, your “install” the cert depends on which web server used (Apache, IIS, LightSpeed, NGINX, Tomcat, etc.) and weather you have already enabled TLS for that domain.

If this is the first time, then you should review “how to” enable TLS for your specific web server.
If this is an update, then you can use the ./acme.sh --install parameter to update the current path in your config to use the newly created cert.

I have azure application gateway. certificate i am using for application gateway behind this my application is running as beck end pool in azure

Does that use a control panel?
Or do you have to do things manually?

EDIT: I found some related documentation online that show some steps I found … “confusing” at best:

  • Generate .pfx format for azure environment [Why?]
  • Attach this file to application gateway http listener [Why?]
  • Automate the whole process with Azure ARM template [didn’t show how]

EDIT EDIT: This one looks “easier” to follow:

Hi already go with this. this is example of certbot. and not able to generate wildcard certificate using this. so i go for acme.sh , it is generating certificate and renew as well. but to install with api gateway looking for auto deploy this certificate.

so then in your case…

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/domain/privkey.pem -in /etc/letsencrypt/live/domain/cert.pem -export -out domain.pfx

becomes

sudo openssl pkcs12 -inkey /root/.acme.sh/domain/domain.key -in /root/.acme.sh/domain/domain.cer -export -out domain.pfx

Thanks rg305.

How many time i can execute issue command for same certificate. After run same command it reach its limit. please find error below .

what is limit quota to execute issue command. How frequent i can execute this command. Because i don’t want to renew certificate. I need to regenerate each interval.

Create new order error. Le_OrderFinalize not found. {
“type”: “urn:ietf:params:acme:error:rateLimited”,
“detail”: "Error creating new order :: too many certificates already issued for exact set of domains: *.myaddressline.com:
“status”: 429

issue and renew are two different things.
You only issue one time.
Then you renew (as needed).

Yes, i want to issue certificate only not renew in this case should i need to delete old one , or how can i execute issue command only. what is rate limit to issue certificate for same domain by lets encrypt.