Certbot-auto and renew

hello -

so far so good switching over to lets-encrypt.

i am thinking the best way for me to use lets-encrypt is to use certbot-auto instead of just certbot, and use:

certbot-auto --certonly;

option, and then manually edit httpd.conf to point to the correct files.

my question: when i run

certbot-auto --certonly renew;

in crontab, will this command replace the existing (expiring) cert files, or will it put the renewed certs with a different name or a different place?

if different name/place, i assume i will have to edit the httpd.conf file every time. true?

It will place them in the same place, as long as you don’t change the names on the certificate. However, it will not automatically apply them. Your web server must be reloaded in order to actually use the new certificate. What makes you believe certonly is the best way?

You would need to add a --post-hook or --renewal-hook to reload your web server to the initial command, which will then be applied when running renew as well. Note that --certonly is not necessary for renew - the same plugin used for issuance is used for renewal.

hi Jared - thank you for the fast response.

i thought that certonly was the best way because i already have existing certificates from comodo, and all of my virtual servers are in one file (i use virtualmin).

or will " certbot-auto;" also change the existing SSLCertificateFile, SSLCaCertificateFile, SSLCertificateKeyFile file name/locations?

what if my crontab does something like: "certbot-auto --certonly renew; systemctl restart httpd.service ; ?

Hi @edwardsmarkf,

The correct command is certbot-auto certonly (not --certonly), and certonly is a separate action from renew (you can’t use both certonly and renew in the same command).

certonly means to obtain a certificate without installing it (that is, without editing your web server configuration files).

renew means to check whether any existing certificates are less than 30 days from expiry, and, if so, to attempt to obtain replacement certificates for those using the same authentication method that was originally used to obtain each one.

There is an alternative to certonly using --apache (which is short for run --apache, which is short for run -a apache -i apache). This also does the installation step, which indeed tries to edit your Apache configuration files to point Apache at the new certificates. certonly contrasts for that—it’s called “certonly” specifically because it doesn’t try to edit the web server configuration.

A difference that @jared.m alludes to is that if you use certonly when obtaining a certificate, certbot-auto renew doesn’t automatically restart your web server for you after renewing it. (By contrast, if you used --apache, it will do so.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.