My web server is (include version): httpd-2.2.34-1.15.amzn1.x86_64
The operating system my web server runs on is (include version): Amazon Linux AMI release 2014.09
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
My scenario is a single EC2 but under a ELB. My customer needs to setup SSL in all of its domains. I’ve been able to create a new ssl with all the domains with this command
certbot-auto --debug certonly --webroot
and then add all the domains and the webroot. My question is, how about the renew? Which command exactly do I have to setup in the crontab?
And, if you mind, what happen if my customer adds more domain to his setup? Do I have to run a single command with --expand flag? and then setup in the crontab?
Depending on how your cron is set up, you may need to specify the full path to certbot-auto.
Note that because you used certonly, the cron job won’t automatically reload your web server configuration to make it use the new certificate after renewal. You can add the --deploy-hook option if you want that to happen (e.g. certbot-auto renew --deploy-hook "service httpd reload" or similar). You can also specify this hook when requesting the certificate initially, and it will be remembered and run automatically by the renew command.
If you need to add more domains, you can request a new replacement certificate containing the new domain and all the old domains, using the --expand flag (in this case, specify all the domains you want on the certificate, including the existing ones). Or if you prefer, you can request a new, separate certificate just covering the new domain, to use alongside the existing certificate (this might be better if the new domain is an entirely separate domain rather than a new subdomain of an existing one). In that case, simply run certbot-auto certonly --webroot again and specify only the new domain.
The renew command that you’ll already have in your crontab will suffice in either case; there’s no need to modify it further when you add new domains.