I have a website that is served by Apache. I am using LetsEncrypt certificates that have been created by certbot using apache plugin. OS is Ubuntu. The site works fine.
Now I am running a NodeJS based API server that uses HTTPS. In order to test I have successfully used the certificates files as TLS option as following:
var tls = {
key: FS.readFileSync("...."),
cert: FS.readFileSync("...") };
My understanding is that since these certificates have lifetime of 90 days, at some point the API server will have stale certificate (unless reloaded/restarted).
Then I found out about excellent GreenLock library. I think this is what I want but I need a bit of clarification.
If I use the GreenLock library and point it to the existing certbot managed directory, will it just pick up the existing cert? Note that, there is a apache server running on port 80 to authenticate for those certificates.
Will there be contention between the certboot and the Greenlock to renew the cert?
Do I need to restart my API server for the reason of it recognising the renewed certs or the GreenLock makes the renewal transparent to NodeJS server?
Basically what I want is that the GreenLock just uses the certs from the store and let the certbot + apache manage the creation and renewal. Also when managed like that my NodeJS server continues to run and recognises the renewal.
Mozilla IOT contributed some patches to the le-store-certbot plugin recently which fixed a few bugs with certbot compatibility.
Fingers-crossed, the latest version will be compatible with the certbot folder structure you had previously, just set configDir as needed.
When you're using Greenlock™, there's no need for certbot and I'm not sure how well it would work to run both on the same system. In theory it should work... but I wouldn't do it.
However, since you're using node.js as the https server, not Apache, I don't think there's any reason you would need certbot still.
Greenlock automatically renews the certificates based on the expiration information that is in the certificate, not a cron job. If configDir is set to /etc/acme and a certificate exists in /etc/acme/live/example.com/fullchain.pem, that's the certificate that will be used.
The node service does not need to be restarted. Whenever there isn't a certificate in memory it will check on disk and then request one through ACME. Whenever there is a certificate in memory it has the expiration information and when it goes to renew the certificate, it will first check on disk for a new one before actually making the request (hence it should work with certbot).