Not sure if this is feasible, but could have come in handy for me. When moving to a new server the LetsEncrypt certificates do not copy over, which makes sense since the private key is never supposed to leave the server it’s on.
My issues is for my clients where they manage their own DNS and also have different TTLs, etc. So once a site is transferred and then the DNS is updated, it would be nice to have LetsEncrypt check automatically every 5 mins or so to generate a new certificate.
Or what would make more sense would be to have a front end script to LetsEncrypt that just checks if the A record matches what LetsEncrypt needs, could probably run that ever minute since it wouldn’t be very resource intensive. Then once it matches it fires LetsEncrypt to generate the SSL for that account. This way the admin doesn’t have to keep checking the DNS and manually create the SSL.
This basically already exists, and has for a few years, now, however, the check is run during the daily cron. It only checks once a day to avoid the risk of running into LE’s rate limiting.
If AutoSSL is enabled in the LE plugin, when the daily cron runs every day, it checks if DNS for the domains resolve to the server. If it does, and a cert does not exist (or it is an old cpanel LE cert), an LE cert is created.
This check can also be run manually, so I suppose you could set up your own cronjob to run the script every x amount of minutes, if you’d like, but, again, that does risk potentially hitting LE’s rate limit settings: How To: Enable Let’s Encrypt and AutoSSL — InterWorx documentation
In IW7 the LE plugin/AutoSSL has to be enabled, however it is enabled by default on IW8 (currently in public beta).
that does risk potentially hitting LE’s rate limit settings.
That rate limit should only be hit if requesting a new certificate though right?
it checks if DNS for the domains resolve to the server.
It only makes the request to LE if the DNS is good right?
So it seems if there are 30 accounts that need a SSL added at the end of day, it would either make 30 request at once on the daily cron or 30 spread out over the day as sites DNS start resolving correctly.
I feel like I might be missing something. Wondering where that rate limit would become an issue?
Correct, it makes the request if our DNS check goes through (though creating the LE cert can still fail for a myriad of other reasons). We have it set for once a day just to be on the safe side.
For example, if the DNS check succeeds, the LE cert is attempted, but that attempt fails due to, for instance, an .htaccess rule that blocks the ability for the wellknown directory to to be accessed. If AutoSSL runs as part of the fively, that same process will happen every five minutes–the DNS check will succeed, so the cert creation will be attempted, the cert attempt will fail. That happening every five minutes, means that the rate limit will be hit within a half hour.
However, if this happens once a day–the dns check succeeds, but the cert creation fails, that gives time for the issue to be noticed and there isn’t really much of a risk of hitting the rate limit.
We have the manual command exposed in the docs so that users can run it on its own after doing imports if they would like.
Yeah, that makes senses since DNS is only the 1st of many factors.
Is there a way to manually call the Auto SSL, but target a specific domain? Or another command to do LE though the CLI?
If that was the case I could create my own script that will run a 5’ly that would only attempt to create SSLs on certain accounts that I know I would have this issue with after import.