Force renew certificate

[gregkare]

I've been working on a feature for our hosting setup that generates Let's Encrypt certificates using lua-resty-auto-ssl to force the renewal of a certificate (this would be useful in case of a security issue with Let's Encrypt, for example having to do with OpenSSL and forcing to renew all certs).

Here's what I have done so far:

• Deleted all Redis keys for the domain (domain..":latest")
• Deleted the "domain:fullchain_der:"..domain "domain:privkey_der:"..domain from the nginx cache
• Deleted cert.csr, cert.pem, chain.pem, fullchain.pem and privkey.pem from /etc/resty-auto-ssl/letsencrypt/certs/$domain

On the next request to the domain I do get new symlinks in /etc/resty-auto-ssl/letsencrypt/certs/$domain and the private keys changes, but the cert remains the same. It looks like Let's Encrypt is returning the same cert somehow, or did I miss something?

Is there a feature in lua-resty-auto-ssl that's calling dehydrated to force renewal that I missed, or is this something that would need to be implemented?

Thanks!

[gregkare]

Do you need more information about this issue? Thanks in advance

[GUI]

Sorry for the delay. The process you outlined seems like it should work, so I'm not sure why you're still getting the old certificates. If /etc/resty-auto-ssl/letsencrypt/certs/$domain/privkey.pem is changing contents, then it would seems strange for /etc/resty-auto-ssl/letsencrypt/certs/$domain/cert.pem to remain the same.

I haven't had a chance to try and reproduce this, but as a first step, you might try enable nginx debug logging (error_log /path/to/error.log debug), and try to trigger this forced renewal again. Nginx's debug log will return a ton of output, but if you look for the line starting with auto-ssl: dehydrated output: that should show the dehydrated script's raw output, which might help show what's going on with the renewal.

[gregkare]

I finally took some time to try this again with the debug log. There's nothing out of the ordinary in the dehydrated log. The cert files are actually different, but the cert's validity contains the same dates, so I thought they were the same. It looks like Let's Encrypt is returning a new cert with the existing validity dates (when the cert doesn't need to be renewed).

I'm closing this one, thanks

[domahub]

Sorry to post on a closed topic, but if I am not using Redis, would simply deleting the /etc/resty-auto-ssl/letsencrypt/certs/$domain directory work in forcing a new certificate? For testing purposes, I'd like to test the domain but I only have one test domain to work with, so I'd need to delete any previous certificates to try to dynamically create one again.

[bryanus]

Sorry to post on a closed topic, but if I am not using Redis, would simply deleting the /etc/resty-auto-ssl/letsencrypt/certs/$domain directory work in forcing a new certificate? For testing purposes, I'd like to test the domain but I only have one test domain to work with, so I'd need to delete any previous certificates to try to dynamically create one again.

You would need to also delete the domain's files in /etc/resty-auto-ssl/storage, then restart your server to purge the cert from its cache.

[kpagcha]

I've had times where even after restarting the server, the expired cached cert would be served. How can I delete cached certs manually?