Can't renew certificate nginx reverse-proxy

Excellent. Now let's add a deploy-hook so nginx will get reloaded when needed. The --nginx plugin did that automatically but --webroot does not.

Run this replacing RELOAD-CMD with whatever command you used to reload nginx. You will need quotes around the command.

sudo certbot reconfigure --cert-name cbe30c15fb7f.sn.mynetname.net --deploy-hook 'RELOAD-CMD'

Certbot will prompt whether to run the hook during --dry-run or not. Okay to choose "D" for Do not run. This reload hook is not needed for --dry-run only for actual renewals.

4 Likes

And one more minor thing. In this server block you should un-comment the line for IPv6 listen. You are listening for IPv6 on port 443 and best to be consistent.

You are not using IPv6 today so it is not essential but when you do this would cause peculiar problems to leave it commented out here.

    server {
        listen       80;
        #listen       [::]:80;    #  <--- uncomment this line
        #server_name  _;
	server_name  cbe30c15fb7f.sn.mynetname.net;
3 Likes

Have I done everything right?

# sudo certbot reconfigure --cert-name cbe30c15fb7f.sn.mynetname.net --deploy-hook 'systemctl reload nginx'
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are attempting to set a --deploy-hook. Would you like Certbot to run deploy
hooks when it performs a dry run with the new settings? This will run all
relevant deploy hooks, including directory hooks, unless --no-directory-hooks is
set. This will use the current active certificate, and not the temporary test
certificate acquired during the dry run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)un deploy hooks/(D)o not run deploy hooks: D
Simulating renewal of an existing certificate for cbe30c15fb7f.sn.mynetname.net

Successfully updated configuration.
Changes will apply when the certificate renews.

Maybe will be better disable listening IPv6 for 443?

Yes the reconfigure looked perfect. You could disable ipv 6 listen on port 443 also. It is just best for both of them to be consistent how they handle that. You can certainly add the listens once you do start supporting that.

I think you are all good. Any other concerns?

3 Likes

No, thank you so much again! You are the BEST!

2 Likes