Certificate Directory & Verification Renewals


#1

Good Afternoon,

I have a few questions I was hoping you were able to help me answer.

As I am trying to avoid adding any folders/files into the website directory, as we often clean these when we do updates, I have some questions.

dns-01 challenge type verification:

  • [ ] Setting up a new certificate using dns-01 challenge type verification using a TXT record in the domain names DNS, is this a one time TXT record in the DNS for the verification method, even for the renewals? Or does the TXT record need to be changed for each time the certificate is up for renewal? If it does need to be changed each time, is there an automated way to do so?
  • [ ] Using dns-01 verification method, on “Auto” deployment mode, where is the certificate stored, plus does it create any folders in the website directory which you have just setup the SSL certificate for?

Is there anyway I can have these certificates externally from the website directories to prevent the possibility of them being deleted, If so, can the renewals still be automated?

Thank you in advance for any help, I hope you can answer my questions, as I very much like the product you have created.


#2

Hi,

The website files we create for the http-01 challenges are temporary (these are not the certificate file) and you can delete them whenever you like. In addition if you are on the current version of Certify the built-in http challenge server is used by default (a temporary in-memory process) so these files aren’t used (unless we need to fallback to providing the challenge via IIS).

For dns-01, no files are created in the website folder, instead the Let’s Encrypt certificate authority will ask us to create a TXT record called something like `_acme-challenge.yourdomain.com’ or ‘_acme-challenge.www.domain.com’ depending on the names you have in your certificate (one for each name or shared for wildcards and primary domains). The value of this TXT record will change every time so it’s best to be automated as otherwise certificate renewals require a manual process. We support a range of APIs but the simplest is acme-dns (using an externally hosted acme-dns server) unless you are already using a supported DNS provider like AWS. With dns-01 it is possible to fetch certificates without having a website running at all and you can optionally do it from a desktop or server.

For all certificate deployments (regardless of the challenge type), certificates are deployed to the computer Certificate Store (Personal/My) and a copy is kept under the c:\programdata\certify\ folder. For automated bindings (the default) we then bind the certificate (in the certificate store) as https in IIS or update the existing binding.