My server is Apache 2.4 under Windows. Since it hosts multiple sites, I cannot stop it for either issue or renewals. Is it possible to renew in the same way as --webroot works for the issuing of new certs?
Yes. Certbot saves the chosen authenticator and uses that saved authenticator when renewing.
Pardon my ignorance: what is authenticator and what does it mean that it is saved and reused?
See the certbot documentation.
If you used
--webroot to get the certificate initially, certbot “remenbers” that choice by saving it in a configuration file and will use the
webroot authenticator for renewals (because it will read your initial choice from the renewal configuration file).
Ah, got it!
So, if I used the commands like
certbot certonly --webroot -d domainA.com -w h:web\hostA certbot certonly --webroot -d domainB.com -w h:web\hostB certbot certonly --webroot -d domainC.com -w h:web\hostC
do I only need to run
and it will do everything itself? No need for any additional scripting?
It will renew the certificates by itself, yes, assuming there wasn’t anything changed in the server configuration what could mess up the renewal (changed the webroot for example…)
certonly so you’d need to “tell” your webserver or any other service using the certificate to re-read the certificate and private key. Otherwise, it would still use the old certificate. This can be done through a script which can be used by certbot with the
Yeah, it is clear.
Initially, I tried to point Apache at the symlinks, but it kept saying “file not found” and I ended up writing a CMD script to copy the actual files from the archive.
I noticed that the initial certs and keys are numbered, at 1 currently.
Will the renewals keep creating new numbered certs at 2, 3, etc?
Yes. But why don’t just use the symbolic links in the
/live/ directory? Assuming certbot on Windows uses symbolic links… I know NTFS has the capability. However, I don’t know if the copy commands on Windows have the capability to dereference symbolic links, as you’d like to copy the actual file the symbolic link is pointing to, not the symbolic link itself
Might work. I’ll look into dereferencing. Worst case scenario, I can write my own program.
copy command creates a real copy by default, so using
copy on the command line is fine.
I am just wondering if there is any advantage to using a
--deploy-hook versus running
certbot renew in a CMD file and simply adding the necessary
copy comands at the end?