-1

For the time being, I'm able to generate monthly TLS certificates using Dehydrated. I run the following command using crontab:

/usr/bin/dehydrated --challenge dns-01 -k /etc/le-godaddy-dns/godaddy.py -c -x >> /etc/dehydrated/logs/$(date +\%Y-\%m-\%d_\%H-\%M-\%S).log 2>&1

I've looked for what I want to achieve and I've found nothing. So my question comes next.

I've created a CSR using openssl, a CSR in PEM format (if I'm not wrong). Now, I'd like to use that CSR to create my certificates. But how? Any hint?

Thanks in advance!

joninx
  • 129
  • 10

1 Answers1

1

Why did you create a CSR when it sounds like you've been letting dehydrated do it for you successfully already?

Regardless, the Usage section on the project's Github page talks about a --signcsr option in the commands list. I don't actually know much about dehydrated, but I'd probably start there if you really need to use your own CSR.

P.S. Force creating a new certificate every month is not generally the recommended approach for an ACME client. Your cron job should be running once or twice a day (at ideally randomized times or at least not on a specific hour interval) and the client will automatically determine when to renew based on the expiration of the cert which is typically about 30 days prior to its expiration. This ends up giving you about 60 days of use on a 90 day cert before it's replaced. Because it's running daily, a failed renewal will simply try again the next day. If it continues to fail, Let's Encrypt will start sending you expiration warnings at about 20 days prior to your cert expiring.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • I'm not an expert of security or these certificates. As far as I know, using a custom CSR will provide more information about who I am, that's the reason I want to use my CSR. So I guess you are telling me that I must sign CSR first, and then use that signed CSR to create certificates, isn't it? I'll follow the approach you've commented to renew certificates. Thanks! – joninx Apr 15 '21 at 08:04
  • 1
    A custom CSR will provide nothing beyond what the auto generated CSR provides. The Let's Encrypt certificate authority ignores all fields other than the DNS domain name(s) in the certificate request. I would suggest abandoning this idea if you don't have a better reason than that. – Ryan Bolger Apr 15 '21 at 22:19
  • How can I setup my cron task to run once/twice a day on random times? – joninx Apr 21 '21 at 07:53
  • 1
    That would be a good thing to ask as a separate question assuming you can't find an answer for it that already exists. – Ryan Bolger Apr 21 '21 at 15:30