Reputation: 93
GreenLock (Let's Encrypt) using existing certbot store used by apache
I have a website that is served by Apache. I am using LetsEncrypt certificates that have been created by certbot using apache plugin. OS is Ubuntu. The site works fine.
Now I am running a NodeJS based API server that uses HTTPS. In order to test I have successfully used the certificates files as TLS option as following:
var tls = {
key: FS.readFileSync("...."),
cert: FS.readFileSync("...") };
My understanding is that since these certificates have lifetime of 90 days, at some point the API server will have stale certificate (unless reloaded/restarted).
Then I found out about excellent GreenLock library. I think this is what I want but I need a bit of clarification.
If I use the GreenLock library and point it to the existing certbot managed directory, will it just pick up the existing cert? Note that, there is a apache server running on port 80 to authenticate for those certificates.
Will there be contention between the certboot and the Greenlock to renew the cert?
Do I need to restart my API server for the reason of it recognising the renewed certs or the GreenLock makes the renewal transparent to NodeJS server?
Basically what I want is that the GreenLock just uses the certs from the store and let the certbot + apache manage the creation and renewal. Also when managed like that my NodeJS server continues to run and recognises the renewal.
Upvotes: 4
Views: 1346
Answers (2)
Reputation: 77122
Compatibility
Mozilla IOT contributed some patches to the le-store-certbot plugin recently which fixed a few bugs with certbot compatibility.
Fingers-crossed, the latest version will be compatible with the certbot folder structure you had previously, just set configDir as needed.
Contention
When you're using Greenlock™, there's no need for certbot and I'm not sure how well it would work to run both on the same system. In theory it should work... but I wouldn't do it.
However, since you're using node.js as the https server, not Apache, I don't think there's any reason you would need certbot still.
Automated HTTPS
Greenlock automatically renews the certificates based on the expiration information that is in the certificate, not a cron job. If configDir is set to /etc/acme and a certificate exists in /etc/acme/live/example.com/fullchain.pem, that's the certificate that will be used.
The node service does not need to be restarted. Whenever there isn't a certificate in memory it will check on disk and then request one through ACME. Whenever there is a certificate in memory it has the expiration information and when it goes to renew the certificate, it will first check on disk for a new one before actually making the request (hence it should work with certbot).
Upvotes: 1
Reputation: 93
@CoolAJ,
Based on your answer, I think I have found a scheme that is going to suit me. I would like to run it by you for comments.
Given my knowledge about Greenlock at this stage, I know I can separate my API server into a separate box and it will take care of my cert acquisition and renewal. Thumbs up! But I am keeping it for my fallback solution. I have infrastructure reason for trying to run my API server alongside an Apache web content server on the same box both speaking HTTPS and I am going to push a bit more to get to a full proof solution. And this is what I have in mind.
My Apache web content server + certbot setup is working fine. So this apache is already responding to domain validation (my knowledge is completely blank about the process) on port 80
I want to run a NodeJS Web API server that speaks HTTPS on the same box and would like to use Greenlock to manage the acquisition and renewal of certs for that API server.
In my original question, I wanted to know if I can just point greenlock to the cert directroy managed by Certbot and for that you have provided clear enough answer. That led me to think that I don't want greenlock to work from certbot managed directory.
So my problem in separation (certbot and greenlock) within the same machine is that only one webserver running at port 80 will be responding to domain validation for both system (certbot and greenlock).
So I have decided that I will keep certbot + acache as is and use greenlock with webroot scheme pointing to the apache webroot and its own configPath. That way the Apache will be the domain validator. I will use subdomain for the API server. Thus certbot manages cert for "blah.com" and greenlock manages cert for “api.blah.com”.
My theory is that way no one is stepping on others toes. Certbot is using Apache plugin thus it is TLS-SNI-01 challenge and Greenlock will use http-01 challenge (using Apache to serve the files).
And I can see in your Fully automatic HTTPS example,
https://git.coolaj86.com/coolaj86/greenlock.js
that I can supply a certbot store with webrootPath.
Which means that when my API server tries to acquire/renew certs, it is the apache server that will be responding to the domain validation and I dont need my nodejs server to run anything on port 80.
What do you think of it?
Thank you for your time.
Upvotes: 0
Related Questions
- Let's encrypt certbot on AWS Linux
- Let's Encrypt via certbot on Shared Linux Server
- greenlock-express for simple nodejs webapp
- Let's encrypt with Sails.js
- greenlock (lets'encrypt) with express and port forwarding
- How to setup wildcard domain ssl with letsencrypt greenlock?
- Let's Encrypt SSL ( sailsjs framework )
- Using greenlock-express with Express in Nodejs
- LetsEncrypt working for IP but not Domain (greenlock, express)
- Adding letsencrypt cert to nodejs http server?