How to overwrite existing certificates to use on different websites?

Hi all,

I’m on centos 8.1 running nginx version: nginx/1.18.0 and few weeks ago I’d generated a certificate for several domains, as a result certbot modified all my nginx files and the sites would be ssl certified, so far so good.

Thing is, I’ve realized i’d like to add staging box so i can test all these sites locally (vagrant boxes) and I’d like to recreate again properly the certificates so they’ll be using https as well locally… I’ve thought one possible way to do this would be modifiy all my nginx server blocks to get rid manually all the certbot metadata and once all of them would work ok locally I’ll reupload to the server all these nginx configs and I’d run certbot again… probably this is not the way right way to do this.

So, summing up, if you’ve got existing certbot certificates in your server and you overwrite all the existing nginx config files with a different set of domain names (local & remote ones), how would you proceed to authenticate all of them with certbot invalidating the previous certificates?

Does it make sense what I’m trying to accomplish here? Sorry but I’m a bit newbie on this area :slight_smile:

Thanks in advance!

Having difficulty…
processing…

Not understanding.

Certificates are not tied to any web service.
They can be renewed completely independent of, or even without, a web server.
Certificates are stored outside of /etc/nginx folder.
Uploading/updating the nginx config should have no “effect” on any cert status.
The nginx config, however, may rely on having a cert to properly secure a web site.
Simply copying an nginx web config from one server to another, without also copying the required certs, will cause that server to fail nginx config tests and not be able to secure that web site.

Does any of that help?
If you still have questions, please reply and elaborate on them.

Sorry,

I understand you’re having difficult understanding my question as probably my initial explanation was just too bad :slight_smile:

Ok, let me try again, let’s say I want to remove the existing certificates generated by certbot on a server and generate new ones for a new set of domains, what’d the right way to do that with certbot?

The goal would be, once i’ve generated these new certificates on the production server, I’d copy them into the staging box and then I’d be able to use ssl on the staging box straightaway (local vagrant box).

I hope this makes more sense now… If it doesn’t, please just let me know and tomorrow I’ll try to post more relevant info about it.

Thanks.

certbot delete --cert-name ABC.XYZ

You can see what certs are left with:
certbot certificates

Hi @BPL

that’s

always wrong.

If you remove / delete certificates that are in use, you break your webserver.

Create new certificates, replace the existing certificates - then use the new certificates on your second place.

And ignore the older, they are only 90 days valid.

@JuergenAuer Hi, so If I’ve understood correctly the suggestion of using certbot delete --cert-name ABC.XYZ is not good?

Could you please post the necessary commands to do so? Also, could I do this on the staging box and then copy the whole /etc/letsencrypt folder to production… or should I do it directly in production and copy back to staging? Or… doesn’t really matter what’s the location where you’ll generate your certificates and what’s only matter will be the domain names afterall?

Thanks in advance, I haven’t run certbot yet as I’d like to be 100% sure what’s the right approach for not screwing up anything :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.