Our infrastructure is managed by Ansible (including nginx site configuration - they are generated using templates).
Now we generate letsencrypt certificates by certbot command automatically each 3 months, but we have ~1 minute downtime (we have to stop nginx, to bind certbot standalone to 80).
How Letsencrypt + nginx integration for autorenewal can be made?
I find Certbot’s “modifies the config” characteristic unsuitable for configuration management as well, but you can use it in certonly mode to avoid that.
How I approach it is like this:
1. Have Ansible generate a self-signed certificate / keypair (for when the server is being boostrapped), and point some symlinks at them for the webserver to use.
2. Have Ansible configure the web server initially to proxy requests for /.well-known/acme-challenge to another port (in my case since I use acmetool, I send it to port 402).
3. Have Ansible invoke the ACME client in its standalone mode (so it binds to port 402 or whatever), and the certificate should be successfully issued. This action should be idempotent (should do nothing if the certificate exists and is not expiring).
4. Once that step 3 is complete, have Ansible update the symlinks to the production certificate and reload the web server.
At this stage, we have a web server configured with a live certificate and the ACME client’s cronjob takes care of the rest without disrupting the web server.
It’s not the most elegant thing ever but I set it up this way a few years ago and it’s yet to fail me.
If you use “certbot certonly --nginx”, Certbot modifies the Nginx configuration momentarily for the validation, but it doesn’t make any permanent changes. That shouldn’t be an issue, if you want to go that route.