Apache ec2 renew doubts


My web server is (include version): httpd-2.2.34-1.15.amzn1.x86_64

The operating system my web server runs on is (include version): Amazon Linux AMI release 2014.09

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

My scenario is a single EC2 but under a ELB. My customer needs to setup SSL in all of its domains. I’ve been able to create a new ssl with all the domains with this command

certbot-auto --debug certonly --webroot

and then add all the domains and the webroot. My question is, how about the renew? Which command exactly do I have to setup in the crontab?

And, if you mind, what happen if my customer adds more domain to his setup? Do I have to run a single command with --expand flag? and then setup in the crontab?

Any help is appreciated!


The command you need to run from cron is

certbot-auto renew

Depending on how your cron is set up, you may need to specify the full path to certbot-auto.

Note that because you used certonly, the cron job won’t automatically reload your web server configuration to make it use the new certificate after renewal. You can add the --deploy-hook option if you want that to happen (e.g. certbot-auto renew --deploy-hook "service httpd reload" or similar). You can also specify this hook when requesting the certificate initially, and it will be remembered and run automatically by the renew command.

If you need to add more domains, you can request a new replacement certificate containing the new domain and all the old domains, using the --expand flag (in this case, specify all the domains you want on the certificate, including the existing ones). Or if you prefer, you can request a new, separate certificate just covering the new domain, to use alongside the existing certificate (this might be better if the new domain is an entirely separate domain rather than a new subdomain of an existing one). In that case, simply run certbot-auto certonly --webroot again and specify only the new domain.

The renew command that you’ll already have in your crontab will suffice in either case; there’s no need to modify it further when you add new domains.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.