Explicit specify cert storage location(remove use of automatic -0001 suffixes)

[hultqvist]

Scenario

I start with generating a single cert for "example.com, www.example.com, test.example.com", this is stored in /etc/letsencrypt/archive/example.com

Later I generate a new cert with "example.com, www.example.com"
This will be stored in /etc/letsencrypt/archive/example.com-0001

Problems

At this stage it is unclear whether the user intended to remove test.example.com or to generate a new cert.

The risks are that one might not notice the suffix and assume that the new certs are in the original location.
I'm not suggesting silently replacing the cert in the original location.

The location of the generated certs should be known before running the client.

Suggestion

With this issue I suggest removal of the automatic suffix generation.

The algorithm that triggers the use of prefix should still be in use but once triggered I suggest the following approach.

When triggered an error will occur.
The error message will instruct that one of the following approaches is required.

1. Indicate that you want to modify the domains in the current cert. This feature is suggested in Allow removing SAN from multidomain certificate when renewing #2071
2. Choose a new alias for the storage using an option like --alias

With option 2 the use of --alias example2 would store the certs in /etc/letsencrypt/archive/example2

These two options can work independently and combined.

Examples

If your intention was to remove test.example.com then you use 1

If you intention was to generate another different cert then use 2

If you want to further modify the domain list for the cert in the new location you must use both 1 and 2.

[bmw]

I actually think this is a duplicate of #1882. Both address the problem of requesting a certificate whose names are a subset of those an existing certificate. With that said, I appreciate you taking the time to write up such a detailed post with both suggestions and examples.

The approach we're likely to take to solve #1882 mirrors how we handled the opposite situation. This is where you are requesting a certificate whose names are a superset of those in an existing certificate. In this case, assuming you provided nothing on the command line, you'll see the following:

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.com.conf)

It contains these names: example.com, www.example.com

You requested these names for the new certificate: example.com,
www.example.com, test.example.com

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: 

You can also skip this prompt by providing command line flags. If you provide --expand, on the command line, the symlinks for the existing certificate will be updated to point to the certificate with the new name.

If, however, you provide --duplicate, a new directory will be created to store your certificate. The name of this directory is determined by the first domain name that you entered. If there is another directory with that name, it will append a four digit number so that the name is unique. Otherwise, it uses the domain name with no suffix.

I believe this approach gets you all of the behavior you want with the exception of being able specify to specify the name of the new directory on the command line. If you think this would be useful, let me know and I'll create a new issue (or feel free to do it yourself). Alternatively, if you feel that this is a different problem than the one expressed in #1882, let me know and I'll reopen.

[hultqvist]

One concern I have with your suggested dialog is that it makes the client interactive and could lock up the process calling it. Is there an issue # for what you described?

I consider #1882 and #2071 basically the same feature request, to modify the list of domains whether one is to add domains and the other is to remove.

Although inspired by those issues my intention with this issue was ortogonal to those, but as I wrote in a comment to #2071 I begin to suspect that any change in the list of domains to an existing folder would require one to specify which folder to modify.
The suggestion here would be one way to solve that.

My main argument in this issue is still the request to know where the certs will be stored before running the client. Thus avoiding having to parse the output of the client to determine where it placed the certs.

[bmw]

Good point @hultqvist. Sorry for prematurely closing this issue.

Currently, letsencrypt is designed to be run interactively so prompting the user is consistent with the rest of the project. With that said, we're working on providing non-interactive ways of running the client such as the approach proposed by #2078.

We need a way for the user to choose which lineage gets modified, however, such as what you proposed with --alias. Using --expand or the proposed --shrink can be ambiguous or update lineages other than what the user intended.

[cybernet]

+1

[dentm42]

I haven't tried it, but can't you just create a script and use the --renew-hook RENEW_HOOK to "install" the renewed cert into the locations expected by your application using the $RENEWED_LINEAGE and $RENEWED_DOMAINS environment variables?