acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

feature request: Implement certbots --dry-run functionality

Open ClundXIII opened this issue 6 years ago • 6 comments

After running into issue #2463 I realized that --test cannot be used to replace --dry-run from certbot.

Something equivalently to certbots --dry-run is definitely needed. Especially if you tinker with your webserver configuration and need to test if the well-known directory is still accessible. There needs to be a simple way to test the configuration without having to issue a new certificate and having the old one being overwritten by --test.

Regards, Simon

ClundXIII avatar Oct 27 '19 20:10 ClundXIII

This feature would be extremely helpful!

tobiasmuecksch avatar Feb 01 '20 15:02 tobiasmuecksch

Has any of you both done anything about this?

I am trying but I find this feature pretty hard to implement, because I cannot just write the test cert to /dev/null (acme.sh expects to read it to check if it's a fullchain or not, and to install it) and I don't know if using a mktemp -d will isolate the configuration enough. (in my experiments, it doesn't interfere with the main acme.sh config, but it will install a a staging certificate into the actual app.)

!/usr/bin/env sh

#### UNTESTED ####

TEMPDIR=$(mktemp -d)

cp -a "$LE_WORKING_DIR/." "$TEMPDIR"

cd "$TEMPDIR"

sed -i '/^Le_Real/d' *.*/*.conf
sed -i '/^Le_Reload/d' *.*/*.conf

LE_WORKING_DIR="$TEMPDIR"

./acme.sh --test --cron --force



rm -r "$TEMPDIR"

AvverbioPronome avatar Mar 17 '20 11:03 AvverbioPronome

nope. I am just using the normal --force function (since I override the old cert). Luckily the old config is preserved if something fails. So it kinda does a dry run if something is wrong.

Also I am hoping I don't hit any ratelimits.

ClundXIII avatar Mar 17 '20 12:03 ClundXIII

I'm struggling with this issue myself -- I was surprised that with the --stagging or --test flag, I actually had certs issued from Let's Encrypt. I don't recall any actual certs being issued when I used to do certbot --dry-run.

Will I hit any ratelimits? I'm messing around with a custom script to actually obtain the certs, install the certs, and setup systemd time files all in one shot. A dry-run would be very helpful

kevdogg avatar Mar 20 '20 22:03 kevdogg

@kevdogg the staging api has ratelimits, they're just very high.

Both acme.sh --test and certbot --dry-run use the staging api, the difference is in what the client does with the certificates it obtains. certbot discards them, acme.sh deploys them.

AvverbioPronome avatar Mar 21 '20 07:03 AvverbioPronome

Both acme.sh --test and certbot --dry-run use the staging api,

For acme.sh this is only true for --issue action. --renew action does use the api the certificate was issued with.

the difference is in what the client does with the certificates it obtains. certbot discards them, acme.sh deploys them.

No

https://community.letsencrypt.org/t/acme-sh-staging-option/118822#post_2

bits-fritz avatar May 14 '23 17:05 bits-fritz