I have some enabled certs on my server that are currently working.
Today I have tried to add a subdomain and certify it on my server, I ran: sudo certbot certonly --expand -d blog.newsite.io and went through the required steps.
Everything outputted ‘success’ however when I view my site it is still not protected.
I have tried to run certbot certificates to see which have been activated/nonactive but it is saying that certificates is an unrecognized argument which makes me think I need to update my version.
My current certbot --version is: 0.9.3
Will updating remove or affect my current configurations on my server?
Note that certbot certonly obtains a certificate but doesn’t install it. So when you use this command you need to manually configure your nginx to use the certificate you just obtained, and reload it after (and after renewal as well).
Also, I think you need to specify the existing domains as well as the new domain, if you want to expand an existing certificate. Just specifying the new domain will give you a new certificate. (I guess that would be obvious if you were using a version of certbot that supported certbot certificates)
Sorry, I don’t know much about running certbot on centos; maybe someone else can help with that. But: which version of centos are you using? and have you tried the instructions on https://certbot.eff.org/ for nginx on your version of centos?
Are you sure that's correct? I think this would end up with you enabling https on port 80 as well as 443. Not sure if that's the problem but I can imagine that it might possibly confuse certbot when it's trying to figure out what file to update. Normally you would have a separate server block for port 80 where you would redirect to https.
(I'm just guessing though, I'm not familiar with nginx config syntax so I may be wrong about that)
You're right. It depends on if those snippets files contain "ssl on;", but it's going to run the same protocol on ports 80 and 443, either HTTP or HTTPS.
("ssl on;" is deprecated and you're supposed to use e.g. "listen 80; listen 443 ssl;" which will do the right thing.)
I'm not sure how confused Certbot would get; it might work, or fail to reconfigure, or reconfigure in a syntactically valid way but fail the challenge with a weird error if port 443 is doing HTTP.
Edit: On second thought, everything mayyy work fine if the default virtual host is configured correctly.
Hmm, that’s beyond my nginx knowledge then I’m afraid, maybe the nginx experts here can help.
However you should at least be able to run certbot certificates now, and see what you’ve got already. If you have a valid cert from a previous run it may just be a matter of configuring nginx to use it.
@jmorahan ah, I see, no worries. Thanks for your help so far.
And yes! It does work, this is what it returns, maybe this will be clearer to you even.
Note: all domains with example are currently working. newdomain is working as well, but the subdomain blog.newdomain.io is what is not working and I am trying to add.
It seems you already have two certificates that are valid for blog.newdomain.io - the certificates named blog.newdomain.io and example.net. So to get it initially working, you may just need to configure nginx to use one of those - if you could get certbot --nginx working, it should do that automatically for you, but you can also do it manually if you know how. In that case you may also need to configure certbot to reload nginx after a successful renewal, which you can do by placing a script to reload it in /etc/letsencrypt/renewal-hooks/deploy/.
Getting certbot --nginx working would probably be better, but I’m not sure how to help you with that at this point (but maybe someone else can).