-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew certificate #165
Comments
Yes, you have to renew every three months. The certificates issued by Let's Encrypt only last that long. The trick to renewing is just to run the process again but with a different IdentifierRef passed into New-ACMEIdentifier. Run through the process again and you have a new certificate. |
I dont understand...Change this? |
Yes, you will keep the domain name but change the alias. New-ACMEIdentifier -Dns myDomain.com -Alias something-else The alias is a name you create. It does not mean anything. It is an identifier that links some information needed by Let's Encrypt with your domain name. My recommendation is that you add the date to the alias. Something like: New-ACMEIdentifier -Dns myDomain.com -Alias "myDomain.com-2016-09-22" |
It's possible to keep the same private key? |
You don't need to create a new identifier to renew a cert. You can just start with New-ACMECertificate. |
Ok, so basically these are the steps to get a renew cert? (Just changing the Alias for each renewal?)
|
Yep, that's about it. You'll be able to keep doing this every ~90 days until your validation for the domain name(s) on the certs expire, which I believe is a little over 1 year, then you'll have to re-validate your ownership of the domains again. |
Closing the ticket -- if anyone still has problems or more questions, keep commenting. |
I wrote up my experiences with automating renewal of certificates with ACMESharp on my blog, in case anyone else finds it useful: https://marc.durdin.net/2016/11/automating-certificate-renewal-with-lets-encrypt-and-acmesharp-on-windows/ |
The 'Expires' date on my dns identifier hasn't changed after I created a new certificate from that alias. ?? It still expires in 10 days. ?? I did exactly the same thing mentioned by Sparticuz...
Maybe something changed? Maybe the 'expires' date gets updated later? I say that because I noticed that I created a new challenge then ran
and it returned an expires date of 3 days from now but when checking again later it returned exactly 60 days from today. >> Am I missing something or just impatient? I thought that I did not need to start with all the challenge steps as well? i.e.
|
Here's what I've deduced based on experience and read what relevant information I can find. When Let's Encrypt issues a certificate for a given key the record in the Let's Encrypt servers will only allow that key to be used for (I think this number is correct but you can check) 292 days (why 292? Who knows). When you initially create a certificate for a key the certificate will be valid for 90 days. You can regenerate but when using the same key eventually the certificate will run up against the 292 day limit. An ACMESharp 'idenfierRef' or 'alias' is an alias for an LE key. When you use the -generate option you are asking ACMESharp to request a new certificate using some key associated with an alias. Initally this command will be able to generate a 'new' certificate with a 90 day expiration period. But eventually, the new 'new' certificate will hit the 292 day limit and, so, the certificate expiration will be shorter than 90 days. My recommendation is that you always create a new alias so a new key is created. @whereisaaron has published a script that handles the dns-01method if you are using AWS Route 53 https://github.com/whereisaaron/acmesharp-update-certificate |
And, yes, I reviewed this batch file that @whereisaaron created -- I understand all the steps and think that I'm doing the same thing. NOTE: I'm using dns-01 with some very inexpensive dns/email provider that I bought with a coupon (occupational hazard -- lol) so I must make updates through their web interface - i.e. by hand. This morning I am confused. (And I thought that I understood how it's all supposed to work). #1. I took the advice and created a new identifier, certificate, etc. for the Danish subdomain of my Qpongo.eu coupon site...
(as far as I can tell these are the exactly same steps as this batch file but I list them here for completeness) #2. But running "Update-ACMEIdentifier qdns1013_170117" still says that the certificate identifier expires in two weeks even though I just created a new one.
#3. HOWEVER, I installed the .pfx (actual certificate) and it says that it expires in 90 days. >> What am I not understanding?Why is the date not changing with the newly created identifier (alias)? PS Here are all the commands from Aarons script...
|
I think what you are being confused about is the meaning of 'expiry'. When a challenge is submitted using the http-01 method the challenge attempt by Let's Encrypt will succeed or fail right away. When using dns-01 I think things are different because it's a step that is not necessarily in the certificate applicant's control. Because DNS servers are usually run by a third party, and are subject to TTL values, you may have entered your new TXT record value but that value may take days to propagate to other DNS servers even if the host company make the changes to their own servers immediately. Let's Encrypt servers will try to validate the DNS TXT entry many times but not indefinately. I think the expiry date in the update response is the date before which the LE servers will attempt to access your DNS TXT record. A grace period. After this date the attempt to validate the alias will be abandoned and marked as invalid. The actual certificate expires in 90 days as it should. |
I think it might be a little bit different still -- the Identifier expiration is when the Identifier verification will expire. In other words you have 10 more days to request additional certs against this Identifier. After 10 days you'll need to submit a new Identifier request (even though it's for the same DNS name) and verify it again, i.e. complete the DNS or HTTP challenge to prove you own/control it. |
Thanks to both of you.
In my case it is verified almost immediately but the expiration never changes, even when I create a completely new identifier and that has me confused (more later).
Here are actual screen prints from registering a NEW subdomain under our Polish Coupon site -- Qpongo Poland
Now I request and complete the dns-01 challenge by adding the record to my DNS server and the expiration date of the certificate bumps up to 60 days from today. Certificates that I create with this identifier will be good for 90 days and so far, this identifier expiration date has never changed, even when I create a new identifier for the same domain. Some identifiers are expiring this month so I guess I'll figure out what happens after that. The only thing that I do differently from the script by @whereisaaron is that I am not specifying -VaultProfile << not sure if that's related. |
Hmm, the only thing I can think of is that the Identifier before it is validated has a 7-day expiration, in order to restrict the window of time when the challenges can be completed, and the Identifier after it is verified (challenges satisifed) is given a 60-day expiration. If I recall correctly, the verified Identifier expiration used to be considerably longer, but I might be thinking of just the Let's Encrypt staging environment, and maybe in PROD it is shorter for increased security. I didn't jot these thresholds down in the reference sheet so they may not be published anywhere. |
I recently had a right mess trying to re-validate (complete a challenge on) an Identifier. In the end I just created a new Identifier. All the commands I tried didn't seem to extend the Expiry date held against the Identifier - even though the re-submitted Challenge showed as valid and up to date. Generally looks like it might be easier just to script my stuff to, every single time, create a new identifier and re-submit challenges even if the previous one is nowhere near expiry. |
Oh, and there were some API changes made back in August that apparently recycles existing authorizations so that if you try to validate an existing DNS Identifier that has more than 24 hours left before it expires, you will receive back the same existing authorization object -- i.e. it will not be renewed/reiussed with a new expiration date. Thanks to @jsha and @srvrco for the details. So all's well! |
Thanks @ebekker for the link -- very helpful!
|
How you renew the certificate?
Do i need to do the script from the step 7 in your quick start page every 3 monts?
The text was updated successfully, but these errors were encountered: