Certbot: Automatically reload nginx without updating my server config

My domain is: oppskrift.se

I ran this command: sudo certbot --cert-name oppskrift.se --expand -d oppskrift.se,www.oppskrift.se

It produced this output: Your existing certificate has been successfully renewed, and the new certificate has been installed.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: VPS on hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I've made changes to my nginx server config that certbot overrides when it renews my certificate. Is it possible to configure certbot to still use the nginx plugin to get a new certificate, and to still have certbot reload nginx after renewal, but not let it make any permanent changes to my nginx config?

I've found the relevant /etc/letsencrypt/renewal/ config file, and I tried removing the installer = nginx line from it, but it keeps getting added right back in. So that didn't work.

I think using:

--authenticator nginx --installer null
[-a             nginx  -i         null]

Might do what you're asking.

Yes, as rg305 says or even just add certonly

sudo certbot certonly --nginx --cert-name oppskrift.se -d (domains)

But, is this what you are using to "renew"?

Because that uses the "run" command which gets fresh cert and sets renew profile. The difference is that renew will not make any updates to your nginx even when using --nginx plugin. Like:

sudo certbot renew

Thanks @rg305 and @MikeMcQ

I tried with -a nginx, but never while also adding -i null.

Because that uses the "run" command which gets fresh cert and sets renew profile. The difference is that renew will not make any updates to your nginx even when using --nginx plugin.

Ohh, I did not know they behaved differently. Thank you!

So when updating my certs (like what domains they apply to) I can use certonly. And when renewing, things should already work as I want I'll force a renewal to make sure!

EDIT:
I just tried renewing by running the following command:

sudo certbot renew --cert-name oppskrift.se --force-renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/oppskrift.se.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for oppskrift.se and www.oppskrift.se
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded

It worked! My nginx config did not change. And the renew command printed out that it reloaded nginx for me. Awesome Thanks again for the help

Yes to both

Best to do sudo certbot renew --dry-run

I didn't trust that a "proper" renewal wouldn't touch my nginx config files even if --dry-run didn't. So I went with an actual refresh. I updated my preview post with some additional info

Okay but beware you are now at the weekly rate limit for certs with that set of domain names. You got your weekly limit in one day

https://tools.letsdebug.net/cert-search?m=domain&q=oppskrift.se&d=168

It is best to use the Staging environment when testing. I realize sometimes you want to use production as a "final" but keep this rate limit in mind.

Now, just pick a post as "the solution".

Already did a few hours ago
Thanks for your help in this thread @rg305

Oops

Thanks for the Let's Debug Toolkit link. I did not know something like that existed. I'm sure that'll come in handy in the future too!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.