What is the current recommended shell command for adding a certificate for a new domain on nginx without affecting any existing certificates for my old domains?
I currently have four running domains with certbot successfully maintaining and renewing them perfectly for over a year. About nine months ago, I added one new domain to my server but ended up invalidating my old certificates when trying to add the new site with certbot. That was utterly my fault for not correctly understanding the documentation, so I just want to be extra cautious now.
If I wanted to add two new subdomains, what is the correct path such that:
- valid certificates are created for the new subdomains,
- the new certificates are renewed automatically, and
- the existing certificates are not affected or continue to renew normally.
I’m using shell access on a Digital Ocean instance of Ubuntu 16.04.5 LTS running certbot 0.26.1 and nginx.
My current (slighted redacted) certificates are:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: redacted1.com
Domains: redacted1.com www.redacted1.com
Expiry Date: 2018-09-21 23:29:09+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/redacted1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/redacted1.com/privkey.pem
Certificate Name: subdomain1.redacted2.com
Domains: subdomain1.redacted2.com
Expiry Date: 2018-11-09 02:15:08+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/subdomain1.redacted2.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/subdomain1.redacted2.com/privkey.pem
Certificate Name: subdomain2.redacted2.com
Domains: subdomain2.redacted2.com
Expiry Date: 2018-11-14 00:32:57+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/subdomain2.redacted2.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/subdomain2.redacted2.com/privkey.pem
Certificate Name: subdomain3.redacted2.com
Domains: subdomain3.redacted2.com
Expiry Date: 2018-10-06 17:05:16+00:00 (VALID: 49 days)
Certificate Path: /etc/letsencrypt/live/subdomain3.redacted2.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/subdomain3.redacted2.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The cron file I use for certbot renewal is this:
$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --nginx