Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: sainiville.com
I started using letsencrypt many years ago and had a certificate from them for sometime. However, now I have a need to bring down the VM that was used to run cerbot to create/renew my certs for many years. I would like to move the certs generation/renewal process to a docker-certbot container. But I would like to re-create the certs. Is it ok to start over for the same server certificate? Since there is an existing server cert, how will this process work?
I know I can probably change the conf file and remap the existing certs to a container structure manually reworking the path etc. However, it would be easier/cleaner to restart from scratch. So my question really is can I request a new cert for the same domain/server even though my existing cert hasn't expired? Is there a way to do this?
Thank you for your help!
yes you can get a new cert even if it's not expired (up to 5/week) buy I don't think docker is right place for certbot is for- at least give it permanent storage, otherwise you will hit rate limit fast.
Yes you can use new certs for your new setup. There is nothing wrong with that. Backup your existing LE folder and sub-folders just in case you need them. I would also backup everything!!! but especially the virtual host files that contain the certificate configurations.... That said, I wouldn't advise trying to restore your entire cert history on the new container. Start fresh and clean. Back it all up and good luck!
Once you have verified everything is working as expected back up the new configs, and rid yourself of the old configurations.
So I am not a docker expert. Your comments about permanent storage are well taken. Back it all up locally.
I'm not a docker expert too, but isn't it simply possible to volume map the external
/etc/letsencrypt to internal
/etc/letsencrypt, so that the docker Certbot simply uses the existing stuff?
Not sure I would recommend docker though.. It can't make use of the webserver plugins for example, so you'd need to switch to the webroot plugin.
Thanks to everyone who responded.
My question wasn't on Docker. I know how to volume mount the letsencrypt directories into Docker. I have another site with certs from letsencrypt which uses Docker certbot from the very beginning. It works well with no issues. I can move the volumes that I mount to a different host and move directories around without any issues as the volumes are mounted to the same path in the container everytime. The problem moving from a host based cerbot to a Docker based is there is a "conf" file which has all your directory mapping and those are currently mapped to the host directories. Unfortunately, when I started with letsencrypt many years ago the certs were generated into a user directory deep into the home path. When mounted to Docker I will have to change the conf file to update the paths etc. It can be done but seems like a pain to me.
So the question really was can I get a new cert for the same server and start over. Clearly, I can wait for the cert to expire and then start over! But I would like to get a new cert while the older one was still valid and then move to the new cert and abandon the older cert. I have never asked for a new cert while the old was still valid so was asking the community if that would work and if there are any limitations that I should be aware of?
Thanks again for everyone's input!
Thanks, I think the answer then is "Yes I can get a new cert up to 5 week before the older one expires"!
The answer is more completely that you could get a new cert immediately at any time as long as you don't exceed your five per week limit
Normally reissuing so early is bad practice but certainly in cases like this it is perfectly fine
Mike thanks for that.
Just to be clear, I am technically NOT "renewing", but getting a new cert for same "HOST/CN"!
Well, renewing is technically just that
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.