Does combining parameters certonly and ---nginx prevent changes to my nginx configuration?

Meteor0id · February 25, 2019, 3:24pm

Up until recently I have not made use of the nginx plugin. I was advised we don’t need that plugin and it is best practice not to have another app (certbot) modify our nginx configuration in any way.

However, nginx was not reloading whenever the certificate was renewed, so it kept serving the old certificate from cache.

I wonder, what happens if I do specify to use --nginx, but also include certonly?
sudo certbot certonly --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com

Will this trigger nginx to reload, but not touch nginx in any other way?

And I also wonder what might be the difference between --nginx and -i nginx.

My domain is:
[not relevant and withholding because I rather not be know as the webmaster for that domain]

I am wondering if I should run this command:
sudo certbot certonly --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com

My web server is (include version):
nginx 1.14.12

The operating system my web server runs on is (include version):
Debian 9.8

My hosting provider, if applicable, is:
irrelevant

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.10.2

mnordhoff · February 25, 2019, 3:42pm

You shouldn’t use certbot certonly --nginx.

You should add --renew-hook "service nginx reload" or similar to your command.

(For posterity, with newer versions of Certbot, --renew-hook should be replaced with the similar --deploy-hook option.)

Certbot uses plugins for two different things:

Authenticators, specified with --authenticator or -a. They’re used so that Let’s Encrypt can perform the validation. The Nginx authenticator temporarily modifies the Nginx configuration to pass the challenge, and reloads it (twice!), but doesn’t make any changes to the permanent certificate configuration.
Installers, specified with --installer or -i, used to a configure a server to support HTTPS and use a certificate. When creating a certificate, the Nginx installer adds an HTTPS virtual host configured to use the new certificate (and reloads Nginx). When renewing, it just reloads Nginx.

When you specify e.g. --nginx, it uses the nginx plugin for both functions.

When you use certonly --nginx, the installer is ignored and it doesn’t perform any installation steps. Nginx will get reloaded as a side effect of the authentication step, before the new certificate is issued, but not after.

Moreover, in Certbot 0.10.2, the Nginx authenticator only supports the TLS-SNI-01 challenge type, which is being phased out and will be disabled soon. (Newer versions of Certbot support HTTP-01.) Soon you will have to upgrade, or use a different authenticator, like webroot.

FYI, you can get a newer version of Certbot from stretch-backports.

Meteor0id · February 25, 2019, 5:48pm

Are you saying that on newer versions of certbot I should not use --renewal-hook "service nginx reload" but instead use --deploy-hook "service nginx reload" ? Why might that matter?

So in my case (when I don't want certbot to modify nginx in any way, but I do want nginx to reload on renwal) I would be best of running sudo certbot certonly --renew-hook "service nginx reload" --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com, correct?

Meteor0id · February 25, 2019, 6:50pm

I ran sudo certbot certonly --renew-hook "service nginx reload" --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple --rsa-key-size 3072 -a webroot --webroot-path=/srv/webroot/examplecom -d example.com -d www.example.com, and then tested if it would renew using sudo certbot renew --force-renewal --cert-name example.com

Part of the output reads Running deploy-hook command: service nginx reload and a line down New certificate deployed without reload

But why without reload?
Checking the live server I do indeed see that the web-server was not reloaded.

system · March 27, 2019, 6:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.