Automatic renewal per Acme? #296
Comments
@David263 The validity period for all certificates that mkcert generates is 10 years. |
|
I have just checked, and I see that you have not added this information to the README file under Code. Also, it would be good if you would mention in the README file that automatic renewal is NOT supported, as it is for certbot, as that fact is not obvious or stated at present. I explained the better procedure for cPanel users above, but I see that you have not responded to this design proposal. Perhaps I failed to make it clear that there is a need to support such a design. Best regards. |
|
Would you accept a Pull Request for me to update the README file for you? |
|
@David263 I think you've got the wrong idea from my comment. I'm not involved with mkcert's development, I'm just a passerby who saw your question about certificate expiration dates and knew the answer to it. |
|
Also, mkcert is a tool for making DEVELOPMENT certificates for OFFLINE/ PERSONAL use... you do not neet ACME for that... and if you do, take a look at SmallStep it couuld do that as far as I understand. |
|
@Lawri-van-Buel Thank you for your reply. SmallStep looks interesting, but it is specific to certain large-scale technologies. It looks like it provides no Acme-like service for ordinary HTML/css/js websites. I urge you to read my discussion of the local.example.com approach to using cPanel Let's Encrypt certificates that I wrote above. All that is missing is an automatic way to copy the latest data when cPanel autorenews. I am sure that there are developers who know how to write the short server and client scripts. It should be technically easy, although I don't have the skills myself. They could help all cPanel users apply HTTPS easily to their development environments. |
FiloSottile
added
duplicate
It's a more production grade solution over mkcert (which is great and easy for local dev usage). As such, it's a bit more involved to setup and use, but I've automated a local docker environment (custom local DNS server, python ACME client to register/renew from YAML config, smallstep as private CA and ACME service), used it for a mail server, anything that needs the TLS certs it's good for.
That's not the responsibility of mkcert. mkcert creates local/private certificates for local dev usage. It does so with it's own root certificate (akin to the ones you'll have from LetsEncrypt on your system, that your website certs will be derived from in a cert chain). It creates leaf / end-entity certificates for your websites/services which you can copy over to where you need, since they've got a long life time (2 years?) and are only intended for local use, not serving real users, manually replacing them isn't that big of a deal. While mkcert automates the installation of root certs into a systems trust stores (OS + some other locations that have their own trust stores), this is different to what you're wanting with leaf certs. Your interest is just a matter of copying files when they've changed on your production servers to your local dev server. Ignore all this being specific to cPanel since all you seem to require is updating the file with the newer cert. Use rsync on a schedule/timer, or dropbox, or syncthing as ways to monitor a location and update another automatically when content changes. Alternatively, just use mkcert?
Reach out to cPanel community for developers that would be interested in that then.
Perhaps just request it as a feature to cPanel devs? (I assume they're paid to work on that or if receiving volunteer contributions would be from someone who uses cPanel and is motivated to do so) |
|
"That's not the responsibility of mkcert." I agree. Mkcert, like the name implies, makes certificates. We need a separate product that senses when the current development server site certificate is about to expire, or has expired, and then copies the latest Let's Encrypt certs from production server to development server. This would help thousands of developers who use cPanel websites (or any others that auto-renew their own certs). |
... Syncthing. |
|
SyncThing sounds like more than half of what is needed. The rest is: running as a service, copying files securely, and sensing when the remote certificate is going to expire or has expired. So close! I wish I had time to do this myself, but I have too many projects as it is. I think this functionality should be coupled with certbot, mkcert, or smallstep. It would enhance whatever app is smart enough to add it. |
|
Oh, I see that this issue has been closed. Should I create a new issue for my last few posts? |
They do what they handle well. Certs. They don't need to handle this niche use case you have for a specific file path / project. There's plenty of options for syncing files across systems which is what you've basically requested. Just use one that's well established already like open-source syncthing, or raise your concerns to cPanel community for further integration.
No. It'll get closed again. Your request does not belong to this project sorry. |
|
polarathene, Thank you so much! I will try this out, and I hope this product gets some publicity. I do use Dropbox, but it's not so secure and it works on only one file system subtree. Perhaps I can even use Syncthing for general backing up to a file server (that would be nice). I must disagree with you that this is a tiny or edge case. cPanel autoSSL is used a lot with local development, by both Linux- and Windows-based developers. Do you have any suggestions about where I could post my experiences if this works for me? I like sharing what works. |
It's tiny in that the amount of cPanel users that are using mkcert and want what you're asking (which apparently isn't using mkcert at all to achieve) is tiny. I'm not saying the cPanel community is insignificant. But you're better to engage within those communities to drum up interest and discussion for solutions to what you're after. It's a better way for you to gage that what you want to do is a good approach and has plenty of community interest. Then either someone volunteers time to put a solution together, or cPanel devs recognize it and improve their product directly.
A cPanel community, Medium, etc. There's no harm in linking to a discussion/article about such here, or if your shared info isn't too much to write about, you can reply here with your solution for anyone else who arrives here like you did. You could just chime in that Syncthing worked well for you or not, or leave some additional details if you want to help others in your situation. |
|
Thank you for all your help, and thanks to FiloSottile too! |
|
From my previous post: "Perhaps I can even use Syncthing for general backing up to a file server (that would be nice)." It turns out that Syncthing has some dramatic limitations to what you can do, as compared with Dropbox. No moving a file from one folder to another, for example. There is no code to detect several common operations, and they can result in lost data. It is clear that I cannot use this as a general backup (they even warn that deletions are propagated, making this useless as a backup). But I'll go ahead and see if it will update certs automatically from production server to dev server. |
====
I would like a certbot that copies the remote private key and certificate files from the production computer to the local development computer automatically whenever cPanel updates its secinfo (security information).
My scheme requires manual creation of an unused subdomain "local.example.com" on the production computer. cPanel will automatically include this new subdomain name in its secinfo whenever it auto-updates it.
On the local development server, I make an entry in the HOSTS file so that "local.example.com" is mapped to 127.0.0.1 (the loopback address).
So if I open "local.example.com/my-website", the browser opens my website securely.
These two steps are very simple, so anyone can do them. They are compliant with all known regulations. yet provide compatible security to development/production server pairs.
But this scheme requires downloading the new secinfo manually about once every 5 months. Computer should do such repetitive tasks!
Thus I need a (Windows in this case) certbot that will automatically detect an expired certificate and download the new secinfo from the production server. Windows can probably do this using powershell and/or the task scheduler, or any of its script languages. However, these are all beyond my knowledge, and that of most developers who want to maintain a local development server that mirrors a remote production server.
The text was updated successfully, but these errors were encountered: