My server is Apache 2.4 under Windows. Since it hosts multiple sites, I cannot stop it for either issue or renewals. Is it possible to renew in the same way as --webroot works for the issuing of new certs?
Yes. Certbot saves the chosen authenticator and uses that saved authenticator when renewing.
Pardon my ignorance: what is authenticator and what does it mean that it is saved and reused?
See the certbot documentation.
If you used --webroot
to get the certificate initially, certbot "remenbers" that choice by saving it in a configuration file and will use the webroot
authenticator for renewals (because it will read your initial choice from the renewal configuration file).
Ah, got it!
So, if I used the commands like
certbot certonly --webroot -d domainA.com -w h:web\hostA
certbot certonly --webroot -d domainB.com -w h:web\hostB
certbot certonly --webroot -d domainC.com -w h:web\hostC
do I only need to run
certbot renew
and it will do everything itself? No need for any additional scripting?
It will renew the certificates by itself, yes, assuming there wasn't anything changed in the server configuration what could mess up the renewal (changed the webroot for example..)
You've used certonly
so you'd need to "tell" your webserver or any other service using the certificate to re-read the certificate and private key. Otherwise, it would still use the old certificate. This can be done through a script which can be used by certbot with the --deploy-hook
option.
Yeah, it is clear.
Initially, I tried to point Apache at the symlinks, but it kept saying “file not found” and I ended up writing a CMD script to copy the actual files from the archive.
I noticed that the initial certs and keys are numbered, at 1 currently.
Will the renewals keep creating new numbered certs at 2, 3, etc?
Yes. But why don't just use the symbolic links in the /live/
directory? Assuming certbot on Windows uses symbolic links.. I know NTFS has the capability. However, I don't know if the copy commands on Windows have the capability to dereference symbolic links, as you'd like to copy the actual file the symbolic link is pointing to, not the symbolic link itself
Might work. I’ll look into dereferencing. Worst case scenario, I can write my own program.
Many thanks!
Figures, Windows copy
command creates a real copy by default, so using copy
on the command line is fine.
I am just wondering if there is any advantage to using a --deploy-hook
versus running certbot renew
in a CMD file and simply adding the necessary copy
comands at the end?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.