Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page contains some details on how to renew certificates with Let's Encrypt using the same key, which is very helpful in supporting authentication via a SPKI pinset. Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this! 

Manual renewal

This assumes that you will use certbot in conjunction with Let's Encrypt and you have an existing key <my_key_file> that was use to sign the previous certificate.

  1. Create your new CSR from your existing private key using 'openssl req'

    Code Block
    opensssl req -key <my_key_file> -new -keyout <my_keycsr_file>


  2. Use the certbot interface to renew the cert using the same key, for example using web authenticaiton 

    Code Block
    certbot certonly -d getdnsapi.net<my_authentication_name> --csr /usr/local/certs/getdnsapi.net.csr<my_csr_file> --webroot -w /home/website/public

    or using dns challenge

    Code Block
    certbot certonly -d getdnsapi.net<my_authentication_name> --csr /usr/local/certs/getdnsapi.net.csr<my_csr_file> --preferred_challenges dns --manual


  3. For the dns challenge mode, step 2 outputs a TXT file that must be added to the corresponding zone <my_authentication_name> before the certificate can be issued and instructs something like:

    Code Block
    Please deploy a DNS TXT record under the name
    _acme-challenge.<my_authentication_domain_name> with the following value:
    
    <TXT value>
    Once this is deployed,
    Press ENTER to continue
    1. Manually add the TXT record and wait until it has propagated e.g. use dig to 8.8.8.8 to obtain the new TXT record. 

    2. hit ENTER, which should result in a new certificate being issued. 
    3. Restart the nameserver or proxy to have it use the new certification.

Automated renewal

There are a number of ways to do this but one common one is to use https://dehydrated.de/  It is a great tool nice for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access.  Thanks to Willem Toorop and Ralph Dolmans at NLnet Labs for developing this automated solution!

  • An example configuration file is:

    Code Block
    CA="https://acme-v01.api.letsencrypt.org/directory"
    #CA="https://acme-staging.api.letsencrypt.org/directory"
    LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
    CERTDIR=/usr/local/etc/dehydrated/certs
    CHALLENGETYPE="dns-01"
    HOOK=/usr/local/etc/dehydrated/dnshook.sh
    PRIVATE_KEY_RENEW="no"
    PRIVATE_KEY_ROLLOVER="no"
    CONTACT_EMAIL=alice@example.com

     

...