-
Notifications
You must be signed in to change notification settings - Fork 0
Renew a certificate for multiple domains
This scenario describes step-by-step how to renew the certificate for the following domains:
example.com, www.example.com, admin.example.com and www.admin.example.com.
Requirements:
- PJAC
As in scenario 1 our CA is Let's Encrypt and PJAC is executed on the same machine as the webserver serving the domains runs on. Again, we use HTTP01 authentication in this scenario. The webserver is configured to serve content over HTTP (port 80) for all above mentioned domains from a single document root /var/www/. The files and subdirectories in /etc/pjac/ that were generated/made in scenario 1 are still there.
In this scenario, we assume that our CA uses a lifetime of 90 days for certificates and 60 days for validated authorizations. The certificate was generated 70 days ago, so the authorizations for the domains have been expired and the certificate has a remaining lifetime of 20 days before it expires.
Note that these expiration times may vary between CA's and will be subject to change. Because the ACME protocol is designed for full automatic certificate issuance, CA's will aim to shorten the lifetime of certificates as that limits damage from key compromise and mis-issuance.
-
Request new authorizations and download challenges for them:
java -jar acme_client.jar --command authorize-domains -a /etc/pjac/account.key -w /etc/pjac/workdir/ -d example.com -d www.example.com -d admin.example.com -d www.admin.example.com --well-known-dir /var/www/.well-known/acme-challenge/ --one-dir-for-well-known --with-agreement-updateFor each domain name a new challenge file is downloaded and saved to the directory
/var/www/.well-known/acme-challenge. -
Verify the challenges:
java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key -w /etc/pjac/workdir/ -d example.com -d www.example.com -d admin.example.com -d www.admin.example.comThe domains are now authorized again.
-
Generate new certificate and download it:
java -jar acme_client.jar --command renew-certificate -a /etc/pjac/account.key -w /etc/pjac/workdir/ --cert-dir /etc/pjac/certdir/ --csr /etc/pjac/example.com.csr -
Done. The following files in the directory
/etc/pjac/certdir/should be renewed:
cert.pem,
chain.pemand
fullchain.pem
ℹ️ Because we use the renew command here we can schedule this to run frequently (every week or even every day), the renew command will only generate a new certificate when the current certificate will expire within 30 days. Performing authorization and verification frequently poses no problem as new authorizations are only generated and verified when they have been expired.