• Status Closed
  • Percent Complete
  • Task Type Security Issue
  • Category Any
  • Assigned To
  • Operating System All
  • Severity High
  • Priority High
  • Reported Version Any
  • Due in Version Starfix
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Packages
Opened by belette - 18/10/2018
Last edited by Emulatorman - 04/02/2019

FS#1229 - [certbot] version 0.23 is not giving the option to keep privkey during renew


Common use case is to have a reverse proxy managing the certificates from let’s encrypt.
If a backend server (behind the reverse proxy) needs to use SSL certificates, this requires to use certbot on the reverse proxy, generate the certificate and to move private key from the reverse proxy to the backend server.

There is another way: sharing NFS drive between servers but this breaks all the security best practices!

Today the “best” way is to SCP the private keys from a the reverse proxy to the backend server, this is not the best way and this needs to be repeated every 3 months before let’s encrypt certificate expires, moving the private key is not a best practice either.

version 0.24 brings a new function --reuse-key to reuse the same private key to renew the certificate, so this private key can stay to the backend server and no need to copy the new private key from the reverse proxy to the backend server because it was not changed during the renew.

Closed by  Emulatorman
04.02.2019 10:48
Reason for closing:  Fixed
Additional comments about closing:  

certbot has been upgraded to 0.28.0 → https://git.hyperbola.inf o:50100/packages/community.git/commit/?i d=3006ad5df28cba326aac706773c57e89c75076 5e

Date User Effort (H:M)
watch my effort tracking timers


Available keyboard shortcuts


Task Details

Task Editing