Running certbot without updating nginx virtualhost files


#1

Hi all,

So I recently got my personal site with a number of sub-domains working with nginx and certbot.

Initially when I generated the certs, I used:

certbot --nginx --cert-name mydomain.nz -d mydomain.nz -d www.mydomain.nz -d docker.mydomain.nz -d hass.mydomain.nz -d gitlab.mydomain.nz -d test.mydomain.nz

This took advantage of the SANs field for sub-domains, as my DNS host doesn’t allow TXT records which LE requires for Wildcard certs.

So, when I went through the interactive prompts, I selected the option to update nginx acordingly, however now when I update or add new sub-domains I’d rather it didn’t make changes to the nginx config.

E.g.

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/docker
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/hass
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/gitlab
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ghost
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

What do I need to do to stop it updating the virtualHost config?

Thanks,

Matt


#2

Hi,

You just need to run certbot certonly, so it will only request certificate, not installing it to corresponding vHost.

Thank you


#3

It’s only one cert. It has to be updated wherever used, whenever updated.
One option to reduce such deploys on adds (and deletes) is to separate the certs individually.
Otherwise, some sites will be using an older version of the same cert and there will be no way to know when to renew which version of the exact same cert…

Who will handle cert expiration and renewals?


#4

Thanks.

I literally answered my own question just after posting while experimenting with test domains:

root@yoshi:/etc/nginx/sites-available# certbot certonly --nginx --cert-name mydomain.nz -d mydomain.nz -d www.mydomain.nz -d docker.mydomain.nz -d hass.mydomain.nz -d g itlab.mydomain.nz -d test.mydomain.nz -d nz.mydomain.nz -d ghost.mydomain.nz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

-------------------------------------------------------------------------------
You are updating certificate mydomain.nz to include new domain(s):
+

You are also removing previously included domain(s):
- test2.mydomain.nz

Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.nz
http-01 challenge for www.mydomain.nz
http-01 challenge for docker.mydomain.nz
http-01 challenge for hass.mydomain.nz
http-01 challenge for gitlab.mydomain.nz
http-01 challenge for test.mydomain.nz
http-01 challenge for nz.mydomain.nz
http-01 challenge for ghost.mydomain.nz
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.nz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.nz/privkey.pem
   Your cert will expire on 2018-08-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I’m assuming I don’t need to do anything now, and can rely on the default cron.d/certbot job to renew the certs in 2 months time?


root@yoshi:/etc/nginx/sites-available# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Thanks,

Matt


#5

While you’re using the certonly command, the Installer nginx suggests certbot ignored the certonly part because of the --nginx option on the command line. Did certbot edit your nginx configuration files or did it leave them alone this time?


#6

I predict that it didn’t use the installer, and that this log message comes from earlier in the process and doesn’t indicating that that installer plugin was actually used to install the certificate.


#7

That sounds like a bug? :slightly_smiling_face:


Certs not renewing
#8

Hmmm.

It seems that at some point, certbot lines got re-added to my config, but I probably did something stupid at some point.

Anyway, so I decided to test the above request, and confirm that the vhost configs are not edited by certbot when having --nginx specified.

So - I removed the certbot lines from the config for ghost.mydomain.nz, then re-ran:

root@yoshi:/etc/nginx/sites-available# certbot certonly --nginx --cert-name mydomain.nz -d mydomain.nz -d www.mydomain.nz -d docker.mydomain.nz -d hass.mydomain.nz -d gitlab.mydomain.nz -d test.mydomain.nz -d nz.mydomain.nz -d ghost.mydomain.nz -d test3.mydomain.nz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

-------------------------------------------------------------------------------
You are updating certificate mydomain.nz to include new domain(s):
+ test3.mydomain.nz

You are also removing previously included domain(s):
- test2.mydomain.nz

Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.nz
http-01 challenge for www.mydomain.nz
http-01 challenge for docker.mydomain.nz
http-01 challenge for hass.mydomain.nz
http-01 challenge for gitlab.mydomain.nz
http-01 challenge for test.mydomain.nz
http-01 challenge for nz.mydomain.nz
http-01 challenge for ghost.mydomain.nz
http-01 challenge for test3.mydomain.nz
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.nz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.nz/privkey.pem
   Your cert will expire on 2018-08-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

and I can confirm that the vhost config for ghost did not have “# managed by Certbot” readded. :slight_smile:

Regardless, I’ll run the command from hereon in without “–nginx” :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.