My domain is: hainaux.net (no website there, only on subdomains, like: mr.hainaux.net)
My web server is (include version): nginx 1.18.0
The operating system my web server runs on is (include version): FreeBSD 12.2
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): not installed yet
I created and installed a certificate following the instructions on gethttpsforfree.com
This worked nicely. I'd liked to automate the renewal and discovered certbot may do this.
The point is, the defaults are not the same as my current setup (no
/etc/letsencrypt/ directory, for instance). Also, I do not really want to run
certbot to perform an initial setup itself since I don't want it to modify the nginx configuration files in any way.
So, I have:
account.keyfile (so far, saved in
nginxknows about these last three files (their paths are written in its configuration files).
The certificate is for the main domain (hainaux.net) and its subdomains (*.hainaux.net). All of this runs fine.
I've seen installing
certbot is easy.
My questions are:
- Is it possible to setup
certbotto only perform renewals on an already working setup?
- If yes, in order to use
certbotonly for future renewals, is it necessary to install the nginx and DNS plugins too? Or may that be skipped, as
nginxis already properly configured and the certificate is already correct (and includes wildcard domain names)?
- Will it be enough to run
certbotvia a cron job like in the example provided at step 8 (wildcard certificate tab) at https://certbot.eff.org/lets-encrypt/freebsd-nginx?
I guess (though I am unsure) the answer to the 3d question is no, since renewals seem to rely on renewal configuration files.
So, would it be correct to create one manually? I just don't know how my files match the ones of the example renewal config file I've seen in the doc. I could try something like this:
archive_dir = ?? cert = ?? privkey = /etc/ssl/private/domain.key chain = /etc/ssl/certs/chained.pem fullchain = ??
And this should be stored in
/etc/letsencrypt/renewal/, but I am not sure what the
CERTNAME is, that should be used to name the renewal config file.
Or, maybe instead of a renewal config file, I should specify the required files via command line options (like
--key-path etc.) in the call of the cron job?