Renewal: is it possible to run it same as new issue with --webroot?

My server is Apache 2.4 under Windows. Since it hosts multiple sites, I cannot stop it for either issue or renewals. Is it possible to renew in the same way as --webroot works for the issuing of new certs?

1 Like

Yes. Certbot saves the chosen authenticator and uses that saved authenticator when renewing.

Pardon my ignorance: what is authenticator and what does it mean that it is saved and reused?

See the certbot documentation.

If you used --webroot to get the certificate initially, certbot “remenbers” that choice by saving it in a configuration file and will use the webroot authenticator for renewals (because it will read your initial choice from the renewal configuration file).

1 Like

Ah, got it!
So, if I used the commands like

certbot certonly --webroot -d -w h:web\hostA
certbot certonly --webroot -d -w h:web\hostB
certbot certonly --webroot -d -w h:web\hostC

do I only need to run

certbot renew

and it will do everything itself? No need for any additional scripting?

It will renew the certificates by itself, yes, assuming there wasn’t anything changed in the server configuration what could mess up the renewal (changed the webroot for example…)

You’ve used certonly so you’d need to “tell” your webserver or any other service using the certificate to re-read the certificate and private key. Otherwise, it would still use the old certificate. This can be done through a script which can be used by certbot with the --deploy-hook option.

1 Like

Yeah, it is clear.
Initially, I tried to point Apache at the symlinks, but it kept saying “file not found” and I ended up writing a CMD script to copy the actual files from the archive.
I noticed that the initial certs and keys are numbered, at 1 currently.
Will the renewals keep creating new numbered certs at 2, 3, etc?

1 Like

Yes. But why don’t just use the symbolic links in the /live/ directory? Assuming certbot on Windows uses symbolic links… I know NTFS has the capability. However, I don’t know if the copy commands on Windows have the capability to dereference symbolic links, as you’d like to copy the actual file the symbolic link is pointing to, not the symbolic link itself :stuck_out_tongue:

1 Like

Might work. I’ll look into dereferencing. Worst case scenario, I can write my own program.

Many thanks!

1 Like

Figures, Windows copy command creates a real copy by default, so using copy on the command line is fine.
I am just wondering if there is any advantage to using a --deploy-hook versus running certbot renew in a CMD file and simply adding the necessary copy comands at the end?