How the command renew affect the nginx's .conf file?


#1

Just, how the command renew affect the nginx’s .conf file?

Does it edit it in any particular way? If it does, where? And how to overlook this if possible?


#2

Hi

It depends on what authenticator you choose…

Overall, the renew normally would make no major changes. Or revert the changes after successfully renew the certificate.

But it would try to reload Nginx after certificates update.

Thank you


#3

What do you mean by ‘validator’?

Also, is there a wiki for this depending on authenticator?

I would like to make an elaborated answer on why we should use renew instead of doing this every time:

sudo certbot --nginx certonly

sudo service nginx restart

I wouldnt like if the command renew actually overwrites something from a production server?

Would you recommend something specific for my case?


#4

Hi,

If you run certbot and request a certificate, you would need to install a certificate everytime you obtained it (or go through interactive prompts to request and install the certificate, which is a disaster when using cronjob as it will never get a new one successfully without user inputs), if you use renew, it could be done with cronjob and (most of the times) automatically apply to your server (if you installed it successfully) so you won’t need to take action and rest assured your certificate will be renewed automatically.

Also, if you hit the rate limit on Let’s Encrypt, you’ll still be able to renew the certificate (despite the rate-limit).

Thank you


#5

I’d like to clarify a couple of things:

  • certbot renew does not normally make any permanent changes to web server configurations.

  • It might make temporary changes if you obtained the certificate with --nginx, because this method does modify your web server configuration temporarily to prove your control over domain names. These changes are reverted immediately once the new certificate has been issued.

  • @stevenzhu’s answer is right in one way but might be a little confusing. If you renew either with certbot certonly or certbot renew, any existing web server configuration that points to /etc/letsencrypt/live will still continue to exist and will then automatically refer to the new certificates rather than the old ones. However, a web server may need to be reloaded in order to notice that the certificates on disk have changed. This does occur automatically after the renewal in some cases with certbot renew, depending on how you originally installed the certificate.

  • Rate limits for renewals are not treated differently when you use certbot certonly or certbot renew.

To try to answer @chrisoname’s question from my own perspective:

I can think of several reasons.

  • If you have more than one certificate, certbot renew will renew all of those that are near expiry. Some people have dozens or hundreds of certificates on one server.

  • certbot renew is suitable for unattended, noninteractive use from cron. In many cases certbot certonly --nginx might require human interaction.

  • certbot renew can, depending on the certificate installation method, reload your web server after renewals so that the new certificates are used by the web server (and refrain from reloading your web server when no renewal has occurred).


#6

This was an excellent explanation on how it differentiates from certonly.

Thank you very much.


#7

Thank you for the reply!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.