Skip to content

Instantly share code, notes, and snippets.

@gregmac

gregmac/notes.md

Last active April 27, 2018 21:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gregmac/e67e3151e97593e75ccabe920955acd7 to your computer and use it in GitHub Desktop.
Save gregmac/e67e3151e97593e75ccabe920955acd7 to your computer and use it in GitHub Desktop.
Download ZIP
LetsEncrypt certificate issuance notes
Raw
notes.md

Some random tests of certbot (0.22) behaviour, as part of an effort to script its usage.

Setup:

  • *.wildcard.example.org DNS points at this server, so HTTP-01 auth works.
  • CERTBOT_PARAMS=" --test-cert --email me@example.org --agree-tos --webroot --webroot-path /var/www/html --non-interactive"

Add a domain, without --expand

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org

Fails. You have to use --expand (or --cert-name)

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org --expand

Works: Updates the certificate to include the new domain.

Add AND remove a domain with --expand

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.wildcard.example.org --expand

Creates a new test1.wildcard.example.org-0001 certificate.

Arbitrary name

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org --cert-name test1

Works great! Gets put in /etc/letsencrypt/live/test1/fullchain.pem

Add AND remove a domain, with named certificate

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org --cert-name test1

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test2.wildcard.example.org --cert-name test1

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.wildcard.example.org --cert-name test1

Works great! Only maintains a single certificate in /etc/letsencrypt/live/test1/fullchain.pem.

totally change all domains, with named certificate

certbot certonly $CERTBOT_PARAMS --domains test21.wildcard.example.org,test22.wildcard.example.org --cert-name test2

certbot certonly $CERTBOT_PARAMS --domains test24.wildcard.example.org,test25.wildcard.example.org --cert-name test2

Works great!

Fail some, with --allow-subset-of-names

certbot certonly $CERTBOT_PARAMS --domains test1.wildcard.example.org,test3.other.example.com --cert-name test3 --allow-subset-of-names

As expected, cert only contains the one that worked.

Exit code: 0

Fail all, with --allow-subset-of-names

certbot certonly $CERTBOT_PARAMS --domains test1.example.org,test3.other.example.com --cert-name test3 --allow-subset-of-names

Fails entirely. This makes sense.

Exit code: 1

Create multi-domain certificate with DNS verifications

certbot certonly --email ... --test-cert --agree-tos --manual -d one.example.org,two.example.org --preferred-challenge dns
  • Prompts to create _acme-challenge.one.example.org with random key
  • Prompts to create _acme-challenge.two.example.org with (different) random key

Parses the output of certbot certificates

Output:

certname{tab} domain1.com domain2.com etc..

certbot certificates | tr '\n' ' ' | grep -oP "[^ ]+ +Domains: *.*?  " | sed 's/ *Domains: */\t /g;'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment