Hello,
I am about to setup a new server with an existing domain which is currently still hosted on the old one. After installing nginx and certbot I would like to let certbot modify the nginx config so that ssl is enabled and certificates are included. But as there is no domain on this server I cannot retreive one yet. Is there a way to let certbot modify the nginx config without a certificate?
Thank you!
What are you hoping Certbot can do with your nginx config before it has a cert?
Certbot won't be able to get a cert if the DNS for that domain does not point to that server. Can you temporarily change the DNS to the new server to get the cert. And, then set it back to your original until you are ready? Or add a subdomain to your existing domain (ex: newtest.example.com) and point that to your new server. Get a cert for that subdomain on your new server for testing.
Another option is to modify nginx manually to use a self-signed cert for testing. Either use your existing nginx as a guide. Or, perhaps: Mozilla SSL Configuration Generator
Does that help?
It would be fine if I would get a dummy cert, I just would like to know what changes certbot will do to the config when executing it.
I changed the DNS to point to my new server and received a cert for the main domain and immediately changed the DNS back. So the changes were added to the conf. After completing the config with all subdomains I changed the DNS to the new server again and was able to get a new wildcart cert for it.
Certbot does not make a "dummy" cert. It can get a cert from Let's Encrypt Staging system for testing but you still have to satisfy the same challenge as a production cert.
Whether Certbot updates your nginx config depends on the options you choose:
Using --webroot method does not change the config
Using --nginx with certonly option only changes the config temporarily
Using --nginx by itself will make temp and permanent changes to your nginx
If you don't want it to make any permanent changes just use one of the first two methods. For --webroot we usually recommend also adding --deploy-hook to reload nginx each time Certbot gets a fresh cert (like for renewal).
The permanent changes made by --nginx by itself involve creating a server block for HTTPS on port 443 with the certificate settings and, by default, modifying the port 80 server block to redirect to HTTPS. To see all the changes it is best to setup a test subdomain and get a production cert for it and review nginx before and after.
Certbot's HTTPS configuration is based on this guide: Mozilla SSL Configuration Generator
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.