Set up renewal without requesting a new cert? #2540
Replies: 2 comments 2 replies
-
Hi Philip, you can create a renewal without actually requesting a certificate by planting a JSON file in If you want to go one step further and trick win-acme to only renew when the certificate is actually due (as opposed to whenever it first runs after you've recreated your environment), you'll also have to fake the history and certificate cache. At that point it might be easier to simply persist the whole Another solution could be to use a centralized "certificate server", which runs win-acme and places the certificate in S3. That server might only need to run 30 minutes per day to keep costs down. Then run a Powershell script in a scheduled task on the web nodes to pull the lastest/updated certificate when it's available. |
Beta Was this translation helpful? Give feedback.
-
My attempt at saving of the *.renewal.json file didn't work so well. I just added a bit of code to the script that I was giving to wacs's "--installation script", having it save the json file to S3 along with the cert and pw. But it didn't work. I think it's because wacs runs the script first, and creates the renewal.json file after the script is run. (Either that or there was a bug in my script. But it couldn't be that. :-p ) Saving off the whole win-acme folder seems a big hammer. And having to turn off encryption makes it that much more "difficult", and that much less secure. So, nah. Thanks anyway. Creating another server instance to do the job also seems a big hammer. I mean, yeah, only running it a little while a day reduces cost, but it's still a big hammer, just stowed away in the toolchest much of the time. I'm finally realizing that the reluctance I expressed in my original post of doing a Scheduled Task myself is perhaps unjustified. It's beginning to seem now to be by far the simplest approach. Previously, on the newly lauched instance, I was doing a cert request unconditionally. Well, I just have to tweak that a bit. If there's no cert in S3 yet (bootstrap), or if the expiration date of the cert in S3 is "immanent", then go ahead and do the cert request immediately, just as I was doing before (except with the added stick-cert-and-pw-in-s3 bit). Else, set up a scheduled task, for "shortly" before the acquired-from-s3 cert's expiration, that runs exactly the same cert request command as we would have run immediately if we didn't have a long-lived cert. My scheduled task can be a one-and-done, because when it fires, the wacs command it runs will do its renewal thing. Seems pretty easy, really. Kinda makes me wonder why I had so much trouble getting there. |
Beta Was this translation helpful? Give feedback.
-
I started this at https://community.letsencrypt.org/t/windows-certbot-install-unattended/213211, but got a fair few responses from folks who weren't WinAcme experts, so thought I'd move the discussion here.
So you don't have to go there if you don't want to, I'll try to summarize that thread here before adding the latest.
I'm providing AWS PaaS for a customer's website. A development environment and a prod environment. Both are certified with Let's Encrypt via WinAcme.
The way we were doing the certs:
The Devs would put a zip of their website update in S3, which tirggered a lambda that launched a new instance, installed all the needed stuff on that new instance (IIS, dotnet, winacme, yada yada), pulled the zip file out of S3, unzipped it, gave it to IIS to serve. And WinAcme would be used to get a new cert for it.
The problem with this method:
Because WinAcme is being run on a brand new instance, there's no WinAcme context on it. So it has no choice but to request a new cert. And, well, there's a limit to how many new certs Let's Encrypt will let you request. So, in a particularly productive (or buggy) week, we have hit that limit.
An attempted solution:
When requesting a new cert, instead of running the wacs command with just "--source iis", as I was doing previously, I ran it with the "--source iis" argument (to get it installed for right now), and "--source manual --instalation script...", where the script sticks the cert and password in s3 for later use. Then, when launching/building a new version of the website instance, instead of calling wacs to get the cert (which would request a new cert from Let's Encrypt, which I'm trying to cut down on), the instance's UserData uses plain ol' PowerShell commands (no wacs) to fetch the cert and pw out of s3, stick it in the system's cert store, and give it to the IIS bindings. And that works, as far as it goes. The website has a valid cert, and we didn't have to dip into our Let's Encrypt limit to do it. But...
The problem with the attempted solution:
Renewal. After getting the cert installed out of S3 into cert-store/IIS behind wacs's back, there's no automated renewal setup. I looked for some wacs command line to setup renewal (--setupscheduler looked promising), but, not too surprisingly due to missing context, every command line I've attempted seems to want to go out to Let's Encrypt and get a new cert.
And speaking of context, I'm wondering, is there some sort of context -- config file, cached cert, whatever -- that I could copy off the prior instance (the one on which I ran the "wacs ... --source manual --installation script ..." command) into S3, and then, on the newly launched instace, copy all that context back? Could that work?
Or is there some other, better way to go about this?
I suppose I could just work it out by creating my own Windows Scheduled Task. That may be what I end up doing if necessary. But it seems like there should be a way to do this with wacs. I think.
Thanks in advance for any help you can provide.
Beta Was this translation helpful? Give feedback.
All reactions