Acme Easy to renew certificates

[bruno-albino]

Hi !! I am using your library to generate the certificates through DNS challenges. I wonder how can I get/expand your library to renew those certificates as well ?

[JonahGroendal]

Hey Bruno, thanks for using the library!

I think that could be a good idea but one thing to consider is this library currently cannot complete the DNS challenge by itself, it can only communicate with Let's Encrypt (or another cert authority) to request a challenge and then finalize it after the challenge is completed (i.e. after the DNS record is set by you or another program).

To do an auto renew feature we would have to make plugins to communicate with the various DNS hosts via their REST APIs. This isn't too difficult and in fact I already did this for Cloudfare in the test.js file, but it would require a bit of work.

If you have a specific DNS host in mind and are willing to write a plugin for it, feel free to submit a PR. Take a look at how I did it in test.js for reference.

[bruno-albino]

@JonahGroendal thanks for the quick response. I don't want to do auto renew. So how can I comunicate with lets encrypt to renew a specific certificate manually through your library ?

I am assuming that don't need to submit a new challenge every time when the certificate is to be renewed

[JonahGroendal]

@bruno-albino As a part of the ACME protocol, you do need to do the challenge every time you renew a certificate. In fact renewing is the same as issuing a new certificate.

May I ask what application you are using this library for? If you're just hosting a website I would recommend using certbot instead.

[bruno-albino]

I am implementing a application so end users can submit their dns challenge manually and then generate the certificate. Until now, this library worked for me, but now I need to manually renew those certificates (uploaded in Fastly)

[bruno-albino]

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

[JonahGroendal]

Oh very cool! This is the perfect library for that, well, besides for not being able to renew. You could implement an auto renew feature by having the user input an auth token for the domain host they use... This would allow you to renew the certificates for them every month, but it would also allow you to to MITM their website so it wouldn't be the most secure solution for them.

[JonahGroendal]

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

Really? That's very interesting. I thought I read in RFC 8555 that you had to dp the challenge again, my bad. Do you have a link to that info?

[JonahGroendal]

Oh I just found that if I request the renew within 30 days the challenges is still valid. So I just need to generate a new one again :) Thanks anyway

Of that's the case I can update the library to support that

[bruno-albino]

bad

Is this one: https://community.letsencrypt.org/t/will-renewal-always-require-new-dns-acme-challenge-txt/102820/5

[JonahGroendal]

Ok so it looks like you can only renew once without having to do the challenge again, and that only gets you an extra 30 days

[bruno-albino]

yep. I did try here with the staging endpoint and worked. The order has the "valid" status in it

[JonahGroendal]

Oh nice, I guess I don't have to change anything then

[bruno-albino]

Nothing at all. Thanks for your time. and great job with this one !!

[JonahGroendal]

My pleasure, glad I could help. And thanks!