Auto renew, hsts and adding new domain name


#1

Hello, i have a few questions and hope someine can help me.
So,

  1. to get certificate i run this one:

/opt/letsencrypt/letsencrypt-auto --config /etc/letsencrypt/configs/s1.demo.example.com certonly`

this operation was successfully completed, but now i want to add new domain ’ s2.demo.example.com’ .

How should i do that? Run (1) with new name again? It will be new certificate or renewed?

  1. How to tune HSTS in Nginx?

Such way?

server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # This 'location' block inherits the STS header
    location / {
        root /usr/share/nginx/html;
    }
    # Because this 'location' block contains another 'add_header' directive,
    # we must redeclare the STS header
    location /servlet {
        add_header X-Served-By "My Servlet Handler";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        proxy_pass http://localhost:8080;
    }
}
  1. And about auto renew

as i understand, i need to do that:

> sudo mkdir /var/log/letsencrypt/

and write

#!/bin/sh
cd /opt/letsencrypt/
./letsencrypt-auto --config /etc/letsencrypt/configs/ s1.demo.*****.com.conf certonly
	if [ $? -ne 0 ]
	then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! \n \n" \
$ERRORLOG
	else
nginx -s reload
fi
exit 0	

then

`> crontab -e

and write crontab

0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh

But when i received the certificate, i get:

|Please read the Terms of Service at
|https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You must agree
|in order to register with the ACME server at
|https://acme-staging.api.letsencrypt.org/directory
|-------------------------------------------------------------------------------
|(A)gree/©ancel: a
|

Who will answer this question when processed automatically?

Thanks


#2

Hi @ehoaeroportov, where did you get the suggestion to use --config this way? I think your problems with the Terms of Service are related to the use of the --config option.

You can add a new domain by running something like

/opt/letsencrypt/letsencrypt-auto certonly --expand -d s1.demo.example.com -d s2.demo.example.com

If you do need to use your --config, you can perhaps add a line inside of the config file that says agree-tos = True (I thought it should be agree_tos = True, but one of our example files suggests the agree-tos form).

An alternative to ./letsencrypt-auto [...] certonly for the renewal is just ./letsencrypt-auto renew, which is meant to be run from crontab frequently (we’ve even suggested running it twice per day). It should use your existing configuration and renew the certificate when it’s near expiry. You can force it to renew all of your certs right away with ./letsencrypt-auto renew --force-renewal (which is not appropriate for running frequently from crontab because you’ll hit the rate limit quickly, but could be used to check whether the ./letsencrypt-auto renew command succeeds in renewing everything!).

One more thing: since all of your examples use ./letsencrypt-auto, you might be following some outdated documentation, and perhaps using outdated client software. The letsencrypt program has been renamed to certbot several months ago, and current versions of the software will suggest certbot-auto everywhere in place of letsencrypt-auto.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.