Overwrite dummy cert in live directory

My domain is: fdm.niradynamics.se

I ran this command: certbot certonly --webroot -w $CERTBOT_ROOT -d $SSL_DOMAIN -m $SSL_EMAIL --agree-tos --non-interactive

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fdm.niradynamics.se
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification…
Cleaning up challenges
live directory exists for fdm.niradynamics.se

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): ngnix 1.17.1

The operating system my web server runs on is (include version): Docker nginx image (Linux 9 stretch)

Hi!

I am trying to configure my docker ngnix to automatically renew cert (if needed). In order to get the nginx up and running the first time, I use my own dummy (not-trusted-generated) cert.

I have also create a persistent docker volume and thought that I overwrite the dummy cert with certbot. However, certbot returns “live directory exists for…”. Is it possible to overwrite an own created cert using certbot? Or does there exist a more elegant solution to this?

Thanks in advance!

Why is that?  

Because I am pointing out the ssl cert in the nginx config. Is there any workaround? Btw, I am trying to use openssl to determine if the cert should be updated (CA name and expire date). Might work out for me.

Is there a reason why you're using certonly in stead of the default run action with the nginx installer plugin? Perhaps because you want to manually add the HTTPS virtual host configuration section?

As far as I know, the apache and nginx installer plugins of certbot should be able to only update the HTTPS virtual host in the configuration file. So you could point to a dummy cert indeed in your config file and run certbot with -i nginx so it replaces the configuration option pointing to the dummy cert with the created certificate.

The "live directory exists for .." isn't an error I'm familiar with. You should however put /etc/letsencrypt on a persistent docker volume, if you haven't done so already.

2 Likes

If you don’t want to use Certbot’s -i nginx feature (or equivalently --nginx instead of certonly), I would suggest putting your dummy cert in a different path, say /etc/letsencrypt/dummy instead of /etc/letsencrypt/live. After your first certbot certonly run, you could then run

sed -i 's/dummy/live/' /etc/nginx/whatever.conf

to change the reference in the configuration file.

There is a way to create the entire /etc/letsencrypt structure with a dummy cert from the outset, but it’s not documented and requires a bit of manual work, so I don’t think I would suggest that.

The method suggested by @Osiris is intended to create the HTTPS virtual host for you where it didn’t already exist. This is what most people prefer to do if they don’t already have a certificate, but I’m sure there are configurations in which people don’t prefer that.

2 Likes

If a custom HTTPS virtual host already exists, surely the nginx installer wouldn’t add another, right?

I didn’t know that certbot could automatically update my ngnix config. Using certbot --nginx sound like the way to do it! I will try it out.

Yes, I created a persistent docker volume for my cert, avoiding any unnecessary re-creation.

Thanks for the quick support! I believe that this topic can be closed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.