starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

cron-renew of certs that are created via -d parameter #79

New Issue
Closed
opened 2025-12-29 00:24:25 +01:00 by adam · 7 comments
adam commented 2025-12-29 00:24:25 +01:00
Owner
Copy Link

Originally created by @chrisb86 on GitHub (Mar 29, 2016).

What's the right way to renew certificates that are created via the -d command line parameter?
Cron only takes the certs that are listed in domains.txt or am I missing something?

Wouldn't it make sense to add them to domains.txt, when they are created? Is this a an intented behaviour and why?

Is there another way to renew all my certs without touching them one by one, when they are not listed in domains.txt?

Originally created by @chrisb86 on GitHub (Mar 29, 2016). What's the right way to renew certificates that are created via the _-d_ command line parameter? Cron only takes the certs that are listed in domains.txt or am I missing something? Wouldn't it make sense to add them to domains.txt, when they are created? Is this a an intented behaviour and why? Is there another way to renew _all_ my certs without touching them one by one, when they are not listed in domains.txt?
adam closed this issue 2025-12-29 00:24:25 +01:00
adam commented 2025-12-29 00:24:26 +01:00
Author
Owner
Copy Link

@seefood commented on GitHub (Mar 31, 2016):

Do you really want an action commandline to also implicitly edit the permanent config? I think it would make more sense to separate those.

@seefood commented on GitHub (Mar 31, 2016): Do you really want an action commandline to also implicitly edit the permanent config? I think it would make more sense to separate those.
adam commented 2025-12-29 00:24:27 +01:00
Author
Owner
Copy Link

@nickpearson commented on GitHub (Mar 31, 2016):

Perhaps you could write a script to create a domains.txt based on the certs in the certs directory. Then use it something like:

$ ./build-domains ./domains.txt /path/to/certs/ && ./letsencrypt.sh

I personally like having the domains.txt file, because that serves as what's supposed to be in the certs directory. It's the canonical reference of the certs I want letsencrypt.sh to manage.

@nickpearson commented on GitHub (Mar 31, 2016): Perhaps you could write a script to create a domains.txt based on the certs in the `certs` directory. Then use it something like: ``` bash $ ./build-domains ./domains.txt /path/to/certs/ && ./letsencrypt.sh ``` I personally like having the domains.txt file, because that serves as what's _supposed_ to be in the `certs` directory. It's the canonical reference of the certs I want letsencrypt.sh to manage.
adam commented 2025-12-29 00:24:27 +01:00
Author
Owner
Copy Link

@seefood commented on GitHub (Mar 31, 2016):

the only tricky part will be digging up the aliases out of each cert, This is from the source:

certnames="$(openssl x509 -in "${cert}" -text -noout | grep DNS: | _sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')"

@seefood commented on GitHub (Mar 31, 2016): the only tricky part will be digging up the aliases out of each cert, This is from the source: `certnames="$(openssl x509 -in "${cert}" -text -noout | grep DNS: | _sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//')"`
adam commented 2025-12-29 00:24:28 +01:00
Author
Owner
Copy Link

@chrisb86 commented on GitHub (Mar 31, 2016):

I use the script with a wrapper script (https://github.com/chrisb86/ngineerx) that creates servers in nginx and php-fpm and creates certs for them. Without looking at the source a few days ago I haven't realized that the created certs will not be renewed because they are not listed in domains.txt.

I can't think about a use case where "temporary" certs are useful. When I create them, I also want to renew them. I don't want to ditch domains.txt but think, that certs that are created with the command line parameters should also be added to domains.txt because I can't find a good reason why not.

I could modify my script to add my domains to domain.txt after creating the cert but in my oppinion this functionality should be in letsencrypt.sh itself. I would add the domains by default but would also be satisfied with a new command line switch if anybody can name any reasons why someone would create certs witch are not included there.

@chrisb86 commented on GitHub (Mar 31, 2016): I use the script with a wrapper script (https://github.com/chrisb86/ngineerx) that creates servers in nginx and php-fpm and creates certs for them. Without looking at the source a few days ago I haven't realized that the created certs will not be renewed because they are not listed in domains.txt. I can't think about a use case where "temporary" certs are useful. When I create them, I also want to renew them. I don't want to ditch domains.txt but think, that certs that are created with the command line parameters should also be added to domains.txt because I can't find a good reason why not. I could modify my script to add my domains to domain.txt after creating the cert but in my oppinion this functionality should be in letsencrypt.sh itself. I would add the domains by default but would also be satisfied with a new command line switch if anybody can name any reasons why someone would create certs witch are not included there.
adam commented 2025-12-29 00:24:28 +01:00
Author
Owner
Copy Link

@nickpearson commented on GitHub (Mar 31, 2016):

I'd vote to have a separate command line switch, as I don't like the idea of a script modifying a config file it usually reads from without a clear indication of intent.

However, I think it'd be fine to modify with a switch, which would basically be a "get me this cert and put it in my list of certs to renew automatically."

@nickpearson commented on GitHub (Mar 31, 2016): I'd vote to have a separate command line switch, as I don't like the idea of a script modifying a config file it usually reads from without a clear indication of intent. However, I think it'd be fine to modify with a switch, which would basically be a "get me this cert and put it in my list of certs to renew automatically."
adam commented 2025-12-29 00:24:29 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Apr 1, 2016):

The -d option is designed for use in combination with other tools (e.g. Ansible).

If you want your domains to be refreshed automatically please configure them in domains.txt.

@lukas2511 commented on GitHub (Apr 1, 2016): The `-d` option is designed for use in combination with other tools (e.g. Ansible). If you want your domains to be refreshed automatically please configure them in domains.txt.
adam commented 2025-12-29 00:24:30 +01:00
Author
Owner
Copy Link

@seefood commented on GitHub (Apr 1, 2016):

Exactly. My flow is also to first add it to the domains.text (by vim/ansible/puppet/chef) then run with -c. plus a monthly -c cron job. It's never going to force-create certs that are newer than 59 days (my settings) so I'm not worried I'll ever bug LE too much with my request rate.

@seefood commented on GitHub (Apr 1, 2016): Exactly. My flow is also to first add it to the domains.text (by vim/ansible/puppet/chef) then run with -c. plus a monthly -c cron job. It's never going to force-create certs that are newer than 59 days (my settings) so I'm not worried I'll ever bug LE too much with my request rate.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#79
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?