Skip to content

Basic ACME certbot commands

Here are a few basic commands to use when working with certbot and DevOpsACCELERATE's ACME implementation.

Request a certificate and place it in the specified folder:

  • If your user hasn't been registered, then the certonly command will register while also requesting a certificate.

Register your user with the Venafi ACME server:

certbot register --server https://api.venafi.cloud/acme/v1/[ZoneID]/directory -m [User_Email_Address]

Request a certificate and specify the name and SANs:

certbot certonly --server https://api.venafi.cloud/acme/v1/[ZoneID]]/directory --cert-name example.com -d example.org,test.example.org

Example

https://api.venafi.cloud/acme/v1/{ZoneID]/directory --cert-name mycompany.com -d mycompany.org

Troubleshooting

Delete the certificate that certbot created locally: rm -f -r /etc/letsencrypt/live/[

Delete the renewal configuration for a certificate that certbot enrolled: rm /etc/letsencrypt/renewal/[certificate conf]>

  • rm /etc/letsencrypt/renewal/

Consider the following key points:

  • The email address used to register your ACME client with the Venafi Cloud ACME server must be associated with a registered Venafi Cloud user.

  • The ACME server URL for registration and certificate requests must be expressed in lower case letters.

  • Consult the Zones configuration page to see the list of available ACME server URLs that are available. Remember, certificates will be issued by the Venafi Cloud ACME server only if they comply with their Issuing Template.

  • Certificate signing requests generated by certbot by default do not include a Subject Distinguished Name. The Issuing Template that is associated with the specified Zone therefore must be configured to allow all Subject fields to be blank. Make sure that the Issuing Template is configured as shown below with the '.*' pattern added to the Common Name policy setting and that the Zone that you are using is configured to use the same Issuing Template.

    Image

  • The certbot ACME client has a default timeout of 45 seconds. Depending on the CA account in use, the time to request and obtain a certificate may exceed this interval.

  • See https://github.com/certbot/certbot/issues/2148 for details and possible workarounds to increase the timeout.