Can certbot-nginx be used as authenticator without updating nginx confs?


My question is general and does not involve any specific domain name.

Can certbot-nginx be used as authenticator without updating nginx confs?

certbot-nginx is messing with my nginx configurations, and I don't want certbot-nginx to update in any way my conf. because I write them better myself than certbot.

With a TLS certificate for a mail server that contain many domain names as SANs, when I expand it with a new domain name, it updates all my nginx confs for every domain name listed in the SANs, and I don't want that.

I don't want that:

if ($host = Some_SAN_DomainName) {
        return 301 https://$host$request_uri;
} # managed by Certbot

I don't want that on every nginx conf listed in the SANs in the certbot TLS certificate expansion:

    ssl_certificate /etc/letsencrypt/live/THE_PRIMARY_DOMAIN_OF_MY_MAIL_SERVER/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/THE_PRIMARY_DOMAIN_OF_MY_MAIL_SERVER/privkey.pem; # managed by Certbot

I mean, I could have a WordPress website, and because the mail server TLS certificate contains also the domain name of my WordPress website, it shows stuff like that.

Can certbot-nginx be used as authenticator without updating nginx confs, without being an installer?

My web server is (include version): nginx version: nginx/1.20.2

The operating system my web server runs on is (include version): Arch Linux x86_64 with linux 5.15.11-arch2-1

My hosting provider, if applicable, is: (dedicated server)

I can login to a root shell on my machine (yes or no, or I don't know): yeah

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Partly. As an authenticator, the plugin would temporarily need to modify the configuration for the challenge. But it won't install the cert if you don't want to. You can select the plugin for authentication only by passing the nginx value to the -a option.

If you don't want any meddling with your config, you should use the webroot plugin.


Hi @HLFH and welcome to the LE community forum :slight_smile:

Exactly who are you trying to keep that information from?
"Normal" people never look at SAN entries in a cert.
"OTHERS" look everywhere for such info - and all issued certs get registered in several places.
They won't need to look into your cert to know all the names that exist there.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.