Let's Encrypt Certificate renewal

This page contains some details on how to renew certificates with Let’s Encryptusing the same key, which is very helpful in supporting authentication via a SPKI pinset.

Many of the current experimental servers are using Let’s Encrypt certificates. Using cerbot makes creating an managing certificates easy.

As of recently cerbot no longer checks if the certificate is about to expire, but simple gets a new one. Beware when testing since with Let’s Encrypt there is a limit of 5 certificates per day….

Generating a Key and Manual Renewal

This assumes that you will use certbot in conjunction with Let’s Encrypt and you have an existing key <my_key_file> that was use to sign the previous certificate (or you are generating your first certificate).

  1. Create your new CSR from your existing private key using ‘openssl req’

    openssl req -key <my_key_file> -new -out <my_csr_file>
    
  2. Use the certbot interface to renew the cert using the same key, for example using web authenticaiton 

    certbot certonly -d <my_authentication_name> --csr <my_csr_file> --webroot -w /home/website/public
    

    or using dns challenge

    certbot certonly -d <my_authentication_name> --csr <my_csr_file> --preferred-challenges dns --manual
    
  3. For the dns challenge mode, step 2 outputs a TXT file that must be added to the corresponding zone <my_authentication_name> before the certificate can be issued and instructs something like:

    Please deploy a DNS TXT record under the name
    _acme-challenge.<my_authentication_domain_name> with the following value:
    
    <TXT value>
    Once this is deployed,
    Press ENTER to continue
    
    1. Manually add the TXT record and wait until it has propagated e.g. use dig to 8.8.8.8 to obtain the new TXT record. 

    2. hit ENTER, which should result in a new certificate being issued. 

    3. Restart the nameserver or proxy to have it use the new certification.

Automated renewal

There are a number of ways to do this but one common one is to use https://dehydrated.de/  It is nice for automating the renewal workflow, particularly if you want to use the DNS challenge method, rather than web access. We have two examples of this method:

  • Method 1 - based on the workflow at Sinodun and using Knot resolver to sign the DNS zone used for the dns-01 challenge.
  • Method 2 - based on the workflow at NLnet Labs using OpenDNSSEC to sign the DNS zone used for the dns-01 challenge.

Generating a SPKI for your certificate

Once you have the certificate configured on your server you can generate the SPKI pin if you want to publish this (so clients can configure this for authenticating your server).

  • GnuTLS:
    gnutls-cli --print-cert -p 853 <IP_address>
    
    The pin for each certificate is displayed at the end of the output line beginning ’ Certificate[0] info:'
  • OpenSSL: 
    echo | openssl s_client -connect '[2001:67c:27e4::35]:853' 2>/dev/null \
     | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | \
     openssl dgst -sha256 -binary | openssl enc -base64
    
  • Or use this handy website https://report-uri.io/home/pubkey_hash