run, renew and --days conceptual issue

[qknight]

i've a problem understanding how to initially get certificates and how to renew them when doing script based automation.

1. my primary problem is, why does a run call 'change' the already existing and correct certificates at all? why would anyone want that? the output below shows that the files were changed.

2. why does run not support --days=15? what are the pre-conditions to run, should i manually check if there is a certificate file and a key? or should i first try to renew it, and if that fails call the run?

a call to run

when i call the run command it changes my certificates... why?

root@mail /e/n/nixcloud-webservices# md5sum  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/*
72ff023cded4240a0d4d9589f8b72d22  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt
1a0c61157751e90ca73c58279f2ec64f  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.json
187edad9763b5ed746fb4970c2951aac  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.key
root@mail /e/n/nixcloud-webservices# systemctl restart  nixcloud.TLS-acmeSupplied-mail.nix.lt.service               
root@mail /e/n/nixcloud-webservices# md5sum  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/*
cd0b2410ba34dd80d8e055213baee1d9  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt
9b7d9b1c1d45b26a4e5111e158031cda  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.json
1055aa1c3e6fb727e5341527ef784d7a  /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.key

my code

at the moment i'm running this code:

#! /nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/bash -e
cd /var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied
#if [[ ! -e "/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13/certificates/mail.nix.lt.crt" ]]; then
  echo "initial lego certificate query"
  /nix/store/9p7z4jqx46jbyc03593gw289jrm0l2k2-lego-1.0.1-bin/bin/lego --domains="mail.nix.lt" --email="[email protected]" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/mail.nix.lt/challenges" --path="/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13" --accept-tos --server="https://acme-staging-v02.api.letsencrypt.org/directory" run
#fi
echo "lego certificate renewal check"
/nix/store/9p7z4jqx46jbyc03593gw289jrm0l2k2-lego-1.0.1-bin/bin/lego --domains="mail.nix.lt" --email="[email protected]" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/mail.nix.lt/challenges" --path="/var/lib/nixcloud/TLS/mail.nix.lt/acmeSupplied/a22e86e5860b94d340c2238421dbf853933db48d9127284a1f2374a3448e3c13" --accept-tos --server="https://acme-staging-v02.api.letsencrypt.org/directory" renew --days=15

also: why is --days=15 not a default? why would i want to update the certificates on every call by default?

oh and the examples on the webpage, https://github.com/xenolf/lego#cli-example, are inconsistent in parameter handling. should it not be --days=15 in lego --email="[email protected]" --domains="example.com" renew --days 30 when all the other arguments use a --foo=bar syntax?

[qknight]

just for the record, my new code is now:

script = ''
  cd ${stateDir}/${identifier}/acmeSupplied
  echo "lego certificate renewal check"
  set +e
  ${pkgs.nixcloud.lego}/bin/lego ${allDomains} --email="${c.email}" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/${identifier}/challenges" --path="${path}" --accept-tos --server="${c.acmeApiEndpoint}" renew --days=15
  status=$?
  echo "return code was $status"
  set -e

  if [ "$status" != "0" ]; then
      echo "initial lego certificate query"
      ${pkgs.nixcloud.lego}/bin/lego ${allDomains} --email="${c.email}" --exclude="dns-01" --exclude="tls-alpn-01" --webroot="/run/nixcloud/lego/${identifier}/challenges" --path="${path}" --accept-tos --server="${c.acmeApiEndpoint}" run
  fi
'';

this is an ugly hack but until this is sorted it works.

[ldez]

Similar to #216 and #290

[anilech]

Hi. I use the following logic in my script:

LEGOCMD=run
crtChkSum=NA
if ( (certificate.crt exist) and ((SANs in the certificate.crt) == (required domains)) ) {
  crtChkSum= md5(certificate)
  LEGOCMD="renew --days 45"
}
lego --all-other-options $LEGOCMD
if ( crtChkSum == (md5(certificate)) ) exit # certificate not changed
# perform new certificate actions like bounce webserver, send emails, format c:, etc ...

[datafoo]

Hi. I use the following logic in my script:

LEGOCMD=run
crtChkSum=NA
if ( (certificate.crt exist) and ((SANs in the certificate.crt) == (required domains)) ) {
  crtChkSum= md5(certificate)
  LEGOCMD="renew --days 45"
}
lego --all-other-options $LEGOCMD
if ( crtChkSum == (md5(certificate)) ) exit # certificate not changed
# perform new certificate actions like bounce webserver, send emails, format c:, etc ...

Do you still use this logic today? Would you mind sharing your code, in particular the "SANs in the certificate.crt" part?

I found that the following code does the trick but you may have something simpler/cleaner to share.

openssl x509 -text -in example.com.crt -noout | perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'