Client has issues with his previous dev (that also maintained the server and certificates), and the certificate will expire tomorrow. Need to renew only for specific domain, so if it is possible it will be nice. Or for all domains if it’s impossible.
In CLI history log I see repeating command sequences like:
985 vi /etc/pki/tls/certs/private.key
986 vi /etc/pki/tls/certs/certificate.crt
987 vi /etc/pki/tls/certs/ca_bundle.crt
988 find / -name vhosts.conf
989 vi /etc/httpd/conf/vhosts.conf
990 service httpd restart
These are the only actions that somehow connected to certificates, so I conclude that these commands are part of the renewal process.
I’d like to repeat this, but googling this hasn’t helped to understand the process and we’re running out of time.
Or maybe we should wait until the certificate is fully expired and then we’ll be able to create a new certificate?.. I’m not sure how much downtime will be involved in this case. Also, if multiple domains certificate expires - is it possible immediately after that to issue a new certificate for a specific domain only?
and then copied and pasted the resulting certificate data into vi over SSH.
You could probably do the same relatively easily. You will be asked to create specific files on the site(s) to prove your control over them during the process. This is an alternative to installing software on the server, and the reason that I guess this is what happened is the evidence you presented of the history—apparently the certificates were obtained “somewhere else” and then pasted here.
An advantage for the future of installing software on the server is that you can script it so that the certificates will be renewed automatically. For example, in most configurations certbot renew can be run daily from cron so that you get renewed certificates installed automatically.
There is no benefit to allowing the old certificates to expire before obtaining new ones. Usually we recommend obtaining a new certificate 30 days before the previous one expires (which is what Certbot will attempt to do if certbot renew is run); you can get certificates with either the previous combination of names or a different combination.
