Best practices for setups that are rebuilt multiple times a day

Good day. I am running a setup involving a couple of nodes load balanced by a single nginx server. That nginx is also responsible for https termination which I want to be handled by certbot. I am destroying and recreating the whole setup a couple times every day.

The problem I’m stumbling upon is that on every deployment my certbot is requesting a new certificate which causes me to hit my rate limit very quickly.

My thinking is that I should somehow deploy with an existing certificate, but how to get the certificate in the first place? Should I run certbot on my development machine or retrieve the certificate from a previous deployment? And what about data that certbot generates and requires for the renewal process?

Surely I’m not the first person in this situation, and some brighter minds must have found a clean solution to this problem. Please help!


Hi @rts

simple answer: That's the wrong setup. Create a setup without destroying certificates. Create one certificate, then save it and re-use it 60 - 85 days.

Then you have no problem with rate limits.


If you save all of /etc/letsencrypt, Certbot should reuse everything successfully. You may want to make your nginx configuration also persistently default to the file locations within /etc/letsencrypt/live.


That sounds a lot like a TESTING environment.
If so, can you use TEST certs?
[or do you really need valid certs?]

1 Like

Do you mean I should not let certbot manage my nginx configuration, but configure it myself? If so, does it suffice to run certbot without --nginx ?

I could, but in order to avoid trusting certificates on my and my testers’ devices it would be preferable to use valid certificates.


Continue running certbot as before.

All you need to do is "save" and then "restore" the entire contents of:
as part of your "destroying and recreating" process.


Yes, you could also run certonly (in which case you can still use --nginx).


It works beautifully. Thanks everyone


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.