Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renew only specified domains #1532

Open
1 task done
SoniEx2 opened this issue Nov 24, 2021 · 4 comments · May be fixed by #2355
Open
1 task done

Renew only specified domains #1532

SoniEx2 opened this issue Nov 24, 2021 · 4 comments · May be fixed by #2355

Comments

@SoniEx2
Copy link

SoniEx2 commented Nov 24, 2021

Welcome

  • Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Binary

Detailed Description

When using lego renew, one should be able to tell lego to only renew the specified domains, and drop any domains not specified.

This would make managing certs much easier as one'd be able to just use systemd for it, instead of remembering the run command and all that. Just add/remove -d's and call it a day, then run the renewal unit.
@m1cr0man
Copy link

I'd like to second this - in NixOS' ACME module it was recently reported (NixOS/nixpkgs#147540) that removing a domain does not work as expected, for this reason.

I would also ask that if the list of domains differs from those specified on the CLI, and --days is also specified, that a renewal would be attempted regardless of expiry date for those domains specified. This avoids a hacky bit of scripting we did already to detect a change in the configured domains.

@m1cr0man m1cr0man mentioned this issue Nov 26, 2021
Closed
@aanderse

This comment has been minimized.

Sign in to view
@ldez
Copy link
Member

ldez commented Nov 27, 2021

@aanderse Some days I wonder why I spend my time creating and maintaining open-source projects...
Please, there are humans behind open-source projects.

@aanderse
Copy link

@ldez I'm sorry. I actually intended that comment to be in the NixOS issue thread, not this one... but after some reflection I realize even in the NixOS issue thread it is still an inappropriate comment. You're right. I'm an open source contributor as well and it never feels nice when people leave comments like that based on your hard work. Please do accept my apologies - many people appreciate the work people put into this project, myself included.

@m1cr0man m1cr0man mentioned this issue Nov 28, 2021
Merged
13 tasks
mweinelt pushed a commit to NixOS/nixpkgs that referenced this issue Dec 27, 2021
@m1cr0man
nixos/acme: Check for revoked certificates
a7f0001 
Closes #129838

It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794

Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
m1cr0man added a commit to m1cr0man/lego that referenced this issue Nov 16, 2024
@m1cr0man
feat: add --overwrite-domains flag to renew
672af55 
Closes go-acme#1532

When changing the --domains values, the certificate will not be
refreshed to update the SANs appropriately.

This change introduces a simple flag to check + enforce that
the domains specified match exactly those in the certififcate during
renewal.
@m1cr0man m1cr0man linked a pull request Nov 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add --replace-cert-domains flag to renew m1cr0man/lego
4 participants
@SoniEx2 @m1cr0man @ldez @aanderse