My Incremental Certbot Panacea

I've written about Certbot more than any other topic in the last 24 months or so, in part because it's been an interesting adventure for me both in helping to demystify SSL certificates, but also because it's been an evolving and incremental process to Make It Better. The first post I'd written in February of 2019 talked about using a web service to generate a Let's Encrypt certificate...good for 90 days...for free. Eighteen months later, I'm writing about more or less full automation with Certbot in my environment. In between, all of the various challenges and incremental changes.

In early December, a friend and I did some "armchair" pair programming and in that process I discovered some additional ways I could further improve upon my already excellent solution. While we pored over various bits of the Certbot documentation, I discovered a couple of things that could make my script(s) work more cleanly than in the past. I wrote them down with the promise to work on implementing them another day (which happened to be the day following our chat). Since the mechanics of my scripts are set and solid (I have a set of the example scripts for each "host" of domains I maintain), one thing that came to mind is cleaning up the output. Invoking the scripts can generate a lot of output, and at the end of the day all I need to see is the active domain, the certificate, and the private key.Two flags stood out to me:

• --non-interactive
• --quiet

I took advantage of a couple 'unused' domains (against the Certbot staging/testing service) to do a little investigation, just to see how the commands impact the output. At the end of the day, I decided to avoid using --quiet but go forward with --non-interactive, for the sole reason that --quiet is fully-silent (as stated in the documentation), so there is absolutely no output relayed to the console during the validation and request process. --quiet would be a better (or required) option if the scripts were invoked via cron or something similar. Since I need to be involved for the "last mile" of certificate installation (the paste into CPanel), using --quiet isn't valuable for me.

--non-interactive, however, is an entirely different story. Using --non-interactive really cuts down the command output to useful parts: updates on the process as it happens. The console output tells me as the validation takes place, cleanup happens, and certificates are issued. The pages of additional information/warnings/disclaimers are not present. Just the facts.

I also took the opportunity to bolt in another helpful piece (since I cut the output down): a simple echo just before the certbot invocation for each domain/cert:

echo "Generating certificate for superdomain.net..."$'\r\n\r\n'

In the console output, this helps me identify the cert in question, which is not as helpful for one or two domains, but super helpful in a script of 10 or more renewals.

The Example, Redefined

I've updated my certbot-example repo with this information, but the script now looks like:

#!/bin/bash
echo "Generating certificate for superdomain.net..."$'\r\n\r\n'
certbot certonly --manual --manual-public-ip-logging-ok 
          --preferred-challenges=http --manual-auth-hook ./auth/auth-host.sh 
          --manual-cleanup-hook ./cleanup/cleanup-host.sh --non-interactive
          -d superdomain.net -d www.superdomain.net
read -n1 -r -s -p "Press any key to load certificate...`echo $'\r\n\r\n'`"
more /etc/letsencrypt/live/superdomain.net/cert.pem
read -n1 -r -s -p "Press any key to load private key...`echo $'\r\n\r\n'`"
more /etc/letsencrypt/live/superdomain.net/privkey.pem
read -n1 -r -s -p "Press any key to end certificate renewal process...`echo $'\r\n\r\n'`"

With that, I've reached my panacea with Certbot. Minimal, but useful output, a very small number of commands to run, and a couple of copy/paste actions for that last mile/installation. Perfect.

A Helpful Testing/Cleanup Step

I didn't really go over any of this in the previous posts, but it's usually a good idea to do a little bit of "cleanup" on your invalid testing certificates from the staging server. Certbot will let you know these certificates are set to expire (along with your good ones), so your own mileage may vary. To me it seems like a good idea to clean up the unnecessary, especially the test certs.

Test certificates will show up as non-valid certificates in the output of sudo certbot certificates.

To both "revoke" the test certificate (or real certificates in absence of the --staging flag) and delete the local content, the following command does it all in one convenient command (the local delete can be done separately from the revoke if/as necessary).

sudo certbot revoke --cert-name superdomain.net 
          --cert-path /etc/letsencrypt/live/superdomain.net/cert.pem
          --delete-after-revoke --staging

So...Is This The End?

At this point I've no intention to write about my personal use of Certbot, so...maybe? If something changes that I find useful or based on suggestions you might have...I am not averse to sharing more about Certbot. That being said, however, I am fully intending to start working with Certbot in our work environment with InCommon/Sectigo...so it is entirely possible I'll share nuggets of those challenges along the way.

Thanks for coming along on the journey!