How to migrate manually setup letsencrypt to either nginx or CNAME challenge?


#1

Hi,

I have an existing configuration. I would like to change this to run with the nginx letsencrypt plugin, or perhaps use the CNAME challenge _acme-challenge.webmail.example.co.uk

Why? I had created the certs manually but this failed when trying to re-new via cron.

I moved from Apache to nginx, so nginx is pretty new to me.

I want to keep my existing certificates and directory configuration as specified in the *.conf files below.

Prerequisite: The webroot directories are mounted read-only. Does the nginx config need a writeable directory? I can create the files once if needed and re-mount read-only.

I have these files configured:

% cat /etc/letsencrypt/renewal/webmail.example.co.uk.conf
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/webmail.example.co.uk
cert = /etc/letsencrypt/live/webmail.example.co.uk/cert.pem
privkey = /etc/letsencrypt/live/webmail.example.co.uk/privkey.pem
chain = /etc/letsencrypt/live/webmail.example.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/webmail.example.co.uk/fullchain.pem

[renewalparams]
account = xxxxxxxxxxxxx
manual_public_ip_logging_ok = True
authenticator = manual
rsa_key_size = 4096
installer = None
pref_challs = dns-01,

% cat /etc/letsencrypt/renewal/mx10.example.co.uk.conf
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/mx10.example.co.uk
cert = /etc/letsencrypt/live/mx10.example.co.uk/cert.pem
privkey = /etc/letsencrypt/live/mx10.example.co.uk/privkey.pem
chain = /etc/letsencrypt/live/mx10.example.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/mx10.example.co.uk/fullchain.pem

[renewalparams]
authenticator = standalone
installer = None
account = xxxxxxxxxxxx
rsa_key_size = 4096
allow_subset_of_names = True

Current cron setting are:

10 0 * * 2 /usr/bin/letsencrypt renew

Is there a simple way to do this but just editing files?

( Unless this will work ?

certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”

)

Best regards, Soph.


#2

If you want to use the --nginx plugin, then yes.

Ditto with the webroot authenticator. Although it does not require write access to /etc/nginx, it does require write access to the directory which serves requests for http://${domain}/.well-known/acme-challenge/.

If you want to keep with fully read-only nginx configuration and webroot, I can suggest the following:

  1. Use the standalone authenticator on an alternate port: --authenticator standalone --http-01-port 8123
  2. Tell nginx to serve the domain control validation challenge via proxy (shown below).
  3. Run Certbot in certonly mode and reload nginx at the conclusion of renewals in order to reload the certificates from disk into nginx.

nginx configuration:

location /.well-known/acme-challenge/ {
    proxy_pass http://localhost:8123;
}

Certbot invocation:

certbot certonly --authenticator standalone \
--http-01-port 8123  \
--post-hook "service nginx reload" \
-d my.domain.example.org

You can also use the same kind of approach if you wish to use the DNS challenge (which is TXT not CNAME).


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.