Ability to edit Let's Encrypt certificate DNS challenge options #3732
Comments
|
As you know dns as well as ssl certification can be hard things to setup and for good reason. It is a good security practice to delete old certificates and get new ones when you switch dns providers due to the keys. You do not want an old key stored on an old dns providers servers. For that reason the current way the project has it set up is the better security practice and adding the feature you described would make this project less secure. |
|
@gratiachristi95 I wasn't aware that any SSL keys were stored by the DNS providers in any way at all. From what I understand, using the DNS challenge feature has certbot temporarily create a DNS record so that it can then validate that it exists on the domain, thus proving you actually own the domain, and then after validating you're the owner, it removes the record and issues the certificate. I was under the impression that the SSL key is stored and generated on my system since that's private info and used to sign (so you don't want others having access to it). Also, with the ability to edit the certificate's settings (really just toggling DNS challenge, the provider and any settings that go with it such as an API key typically) wouldn't impact the certificate in any way when you do it - it would only update the recorded information and upon renewal would be used instead of what was previously used for the certificate. If certbot doesn't allow you to modify the info, I can totally understand - and in that case, I'd be just fine with some way to manually specify the "name" of the certificate (npm-1, -2, etc..) so I can replace a previous certificate in /etc/letsencrypt rather than it using whatever the next internal ID is that was generated from the database. |
|
To update this feature request, certbot apparently does support changing challenge options. If you want to change challenger choice, you can use the If certbot supports it, I don't see why this project couldn't either - and as mentioned, it would be a nice improvement for those of us with certs and then change DNS providers. |
Is your feature request related to a problem? Please describe.
Yes - there is currently no way to update the DNS challenge provider or options. If you change DNS providers, you would need to update the DNS challenge settings (if used). Since you can't do this, you have to add a new certificate entry (and remove the old one) which creates a new /etc/letsencrypt folder. If you have other services tied to the specific
npm-*folders created (since you can't customize these paths), you would have to update all your other configurations with the new location as well.Describe the solution you'd like
I would like an Edit option for Let's Encrypt SSL certificates along with Renew now/Download/Delete. This would open the same window as when you create the certificate, but existing settings would be shown and could be edited.
Describe alternatives you've considered
I have considered editing the credential files that are generated, however docs state that the credential information is stored in NPM's database as well, so this would not properly solve the issue.
Creating a new certificate entry is not a viable option if you want to avoid having to update paths in other services that are using the certificate.
Additional context
The text was updated successfully, but these errors were encountered: