Add HSTS to Existing Cert

I have been using a LetsEncrypt cert for my website for a number of years and have it set to auto renew using the cron job below. I want to enable HSTS now and was wondering if I simply add --hsts to the cronjob command or if there is any additional configuration that is required? How do I specify the timeframe also, i.e. 1 year? I have an Ubuntu 20.04 server running Apache.

0 0 1 */2 * certbot --force-renewal --quiet --agree-tos

Please don't ever use --force-renewal in a cron job!!! That's a very, VERY bad idea. Please remove it immediately! Why would you do that anyway?!?

To answer your HSTS question:

HSTS is just a header send by the webserver, not a property of the certificate. You might be able to set this header (but I'm not sure) by using the install subcommand of Certbot in combination with the --hsts option. But I don't know how you got and installed the certificate in the first place, so I can't provide an exact command for you.

3 Likes

The (underdocumented) enhance verb can do this:

sudo certbot enhance --hsts --apache
4 Likes

Undocumented indeed. The --hsts option isn't mentioned in the enhance section, only in the security section, which isn't a subcommand to begin with. So I guessed install. I guess I guessed wrong.

Please improve the documentation.

4 Likes

This is a good place to get inspiration from, if you want to add an HSTS header to your website:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.