DANE HTTPS

Hi,
is there a way to keep private key with acme.sh in order to setup HTTPS DANE ?

With certbot we can user --reuse-key and --keep for this, but i don't find anything like this with acme.sh

 

ok, it looks like it's "--always-force-new-domain-key" to force privkey renewal.
And... it seems it's enabled in ispconfig ?

 

That's correct. By default keys are renewed when certificates are renewed.
That's hardcoded. You can change it yourself in the code but will need to do that again after every ispconfig upgrade.

Or you change it in the certificate's config file after you have deployed a new certificate.
Any change in the config file will be applied on the next renewal.

 

Hum, maybe an option to enable ou disable it way be a good idea.

Do you know where it is hardcoded ?

 

For acme.sh it's line 88 in /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php

Code:

$acme_sh . ' --issue ' . $domain_args . ' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key ' . $conf_selection_arg . $certificate_type_arg,

Just deleting "--always-force-new-domain-key" should be enough.
For new certificates that is. For existing certificates you'll need to edit their config files.

 

thnks for your answer.

The config file will be overwritten too on update ?

 

No the config files are from acme.sh and certificate specific.

Code:

/root/.acme.sh/<domain.tld>/<domain.tld>.conf

They have nothing to do with ispconfig itself and won't be touched by ispconfig updates.