Best practise to manage certificates


#1

Hello,
Currently I generated the certificates and everything is working fine.

  1. I generated SAN certificates in server A using docker run cmd and certificates are generated in /etc/letsencrypt/live/$domain
  2. Stored those certificates in server B(Repo server)
  3. Then copy those certificates from server B to server C(its our production server)

Can someone help me to elaborate how to effectively manage the certificates. currently I am doing this

  1. When the certificates are to be expired , a certificate renew request is sent to letsencrypt and receive the new certificates.
  2. Again copy those certificates to Server B
  3. Stop NGINX in server C , copy the cert from server B and then start nginx again
    The above looks bit cumbersome . Can someone share how they managed in the production environment
    My domain is:
    quantiply.com

I ran this command:
docker run -it --rm -v /docker-volumes/etc/letsencrypt:/etc/letsencrypt -v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt -v /docker/letsencrypt-docker-nginx/src/letsencrypt/letsencrypt-site:/data/letsencrypt -v “/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt” certbot/certbot certonly --webroot --agree-tos --no-eff-email --webroot-path=/data/letsencrypt -d $host_name -d

It produced this output:
Congratulations. Certificates generated successfully

My web server is (include version):
nginx -1.14.2-1.el7_4
The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.29.1


#2

This seems unnecessary; as nginx can do a graceful reload (and update the cert while running).


closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.