Add full support for using an existing private key

[bdesham]

Certbot seems to generate a new private key each time it requests certificates. This makes it very difficult to use SSL pinning with Certbot: ordinarily you would distribute the server (public) key with your application and use the (private) key to obtain the server’s certificate. If the server’s certificate changes every three months then you would also have to update your application every three months (and risk users being locked out entirely if they happened not to upgrade).

The only way to bring your own server key to Certbot seems to be to create your own CSR and pass this to Certbot using the --csr option. (In my understanding the key is “baked in” to the CSR in a way that makes it a suitable proxy for the private key.)

This has drawbacks, however. You have to get the CSR from somewhere but Certbot offers no relevant documentation. (I followed this documentation from letsencrypt-nosudo, another ACME client.) More significantly, when Certbot obtains the certificates from your CSR it doesn’t put them in /etc/letsencrypt but just in the current working directory. Part of the appeal of Certbot is that it usually puts certificates in a well-defined directory hierarchy; having symlinks to the latest versions in /etc/letsencrypt/live is also a boon for convenience. Neither of these is the case when you use your own CSR.

I am requesting that one of the following features be added to Certbot:

1. The ability to point Certbot to an existing server private key, presumably with a command-line flag. (This would be my preferred solution.)
2. Certificates that “came from” a user-provided CSR should be treated the same (i.e. placed in the same directories) as certificates that were obtained in the usual way.

[daadu]

👍

[lancedolan]

Big upvote on this!

Additionally, if your SSL termination happens on some hosted infrastructure or platform provider who doesn't use Let's Encrypt, but who will allow you to programmatically upload certs, then your certbot server will need to sign all certs with a private key provided to you by your hosting provider. That is our case now, and it's causing great difficulty, if not a total impasse. We might need to use some other janky ACME tool instead of certbot because of this.

[lancedolan]

This documentation indicates that the feature already exists and that using the CSR is only optional... but I've found no documentation otherwise:

https://certbot.eff.org/faq/#can-i-use-an-existing-private-key-or-certificate-signing-request-csr-with-certbot

UPDATE: I actually created a PR on actual website source code and update that misleading faq, so posterity might find this comment confusing...

[lancedolan]

I have learned there is an existing PR to get this completed...

#3819

[SwartzCr]

This seems pretty related to #4331
So feel free to comment in there if you have suggestions on how directory choosing is handled.
I'm also going to ping @pconrad-fb and @schoen about documenting how to generate your own CSR and use it with certbot.

[pconrad-fb]

Happy to add this to the stack. Will need more info of course.

[SwartzCr]

Sure - this should be after lineages and a bigger link to the instruction generator. It's also possible that @schoen is better suited for this and should work on it after finishing up the challenge documentation

[pconrad-fb]

I'm ready for more information here. I am at a stopping place with lineages (until the next review) and I've added a bigger link to the instruction generator. Ready to ramp up on this while waiting for callback on those other two items.

[lancedolan]

We've mostly completed development with the existing solution, generating our own CSR every time and passing that in. It's a pain and meant writing a custom cert management solution since certbot spits the certs into the current directory instead of into its normal management directories under /etc/letsencrypt. We're probably too far along now to benefit from this future change, but I'm sure others will need it, especially as large organizations start using certbot under the same requirements we did.

I think as far as "more information," everybody just wants to provide a path to a key on the local server, with some toggle like -privatekey /path/to/key.pem , and we want certbot to behave exactly as normal when providing that private key.

[SwartzCr]

@pconrad-fb man, do I have more info for you, take a look at: #3612 , #3611, and #3686
it's all pretty confusing.
As for @lancedolan and @bdesham it looks like this is similar to the issue @dkg opened (maybe even the same?) in #3788
We have an old PR for it (#3819), and now @schoen is working on a newer one (according to #3819 (comment)) but I don't know if he's posted it yet

[bdesham]

@pconrad-fb I don’t think the real issue here is a lack of documentation. I think the issue is a gap in Certbot’s functionality—specifically, the inability for the user to specify which private key they want to use. As far as I can tell, people are only using CSRs because it’s a way to work around that missing functionality. Therefore, while it would be fine to add a “how to create a CSR” tutorial to Certbot’s documentation, I think it would be even more helpful to more people just to add the private-key feature so that people don’t have to muck around with CSRs in the first place.

[dkg]

fwiw, i agree with @bdesham here. The simple thing that people want to do is point to a secret key that they plan to continue using (whether that's for HPKP or for other reasons). CSRs are a weird ephemeral byproduct of the cert registration process; They aren't used elsewhere. We don't expect people to keep around copies of their JSON requests or the responses they got from the ACME provider, or the HTTP request or response headers (or the TCP framing, for that matter :P). Why should they need to think about or maintain a CSR?