Expand SAN certificates? #189
Comments
|
Until it's supported in ACMESharp, there is really nothing we can do. |
|
I think this will be possible when Revocation has been implemented in ACMESharp. It is set for the milestone 0.8.5 ebekker/ACMESharp#103 Regards Trumf |
|
@Trumf-dk, the renewal system is going to be completely rewritten soon to not use the registry, so take that into account when working on your plugin. |
|
I need this function and can't wait so I will rewrite it when it is done. It would be nice to have a roadmap so it will be easier to plan things like this. I have thought of rewriting to use central store as well and will start when another plugin I need is done... |
|
Linking to Revocation enhancement request #78 |
|
v1.9.5 will support this by re-scanning the bindings of IIS websites before renewal, but I just realised that the older certificate will still expire. I will have to check out how hard it would be to revoke the older certificate on such changes. |
|
I want to make this a bit more clear so we get it right.
Now, after some weeks, Let's Encrypt will start warning you that your [a-b] certificate is going to expire, while you don't need it anymore. Is the correct way to prevent that to revoke the certificate? Or is there another way to tell the ACME server that we stopped caring? I couldn't find one in the protocol, but a revoke seems a bit harsh, implying a security breach and unnecessarily adding to the CRL. @cpu? |
|
Hi @WouterTinus,
Revocation is not recommended by Let's Encrypt except for key compromise.
There isn't a general way to tell the ACME server that you don't want expiration warnings for the now replaced certificate. ACME has no notion of expiration warnings at all, that's a Let's Encrypt specific feature. You could unsubscribe from the expiration warnings via the link in the email (or delete your ACME account contact) but this will have the effect of silencing all expiration warnings, not just those for a specific certificate. We have some open issues related to this (letsencrypt/boulder#2475, letsencrypt/boulder#1396) but unfortunately they require us to stand up a whole new service in front of our mail provider's API and its a fair bit of work blocked by higher priority items. |
|
Thanks for your insight @cpu! Then we'll keep this open just in case those issues get resolved sometime in the future, but we definitely won't do the revoke. |
Hi @lone-coder,
thanks for developing such an useful application!! :-)
I got a question though - we happen to have multiple domains in one certificate and add new domains once in a while (~1-2 a month).
Currently, as it is my understanding, if you use --san (manual mode) you are issuing a complete new certificate whenever you want to extend it. Therefore the existant certifcate remains as well and at expiry time you get warning mails von LE...
Is there a way to expand the certificate and let it replace the old one?
I found an option (--expand) in the official documentation - but it looks like that there is no reference in your code or in @ebekker ACMESharp as well ...
http://letsencrypt.readthedocs.org/en/latest/man/letsencrypt.html?highlight=expand
Thanks for helping or giving some advice! :-)
Regards lpk
The text was updated successfully, but these errors were encountered: