My domain is: hainaux.net (no website there, only on subdomains, like: mr.hainaux.net)
My web server is (include version): nginx 1.18.0
The operating system my web server runs on is (include version): FreeBSD 12.2
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): not installed yet
I created and installed a certificate following the instructions on gethttpsforfree.com
This worked nicely. I'd liked to automate the renewal and discovered certbot may do this.
The point is, the defaults are not the same as my current setup (no /etc/letsencrypt/
directory, for instance). Also, I do not really want to run certbot
to perform an initial setup itself since I don't want it to modify the nginx configuration files in any way.
So, I have:
- an
account.key
file (so far, saved in/root/.ssl
) -
chained.pem
anddhparam.pem
files in/etc/ssl/certs/
-
domain.key
in/etc/ssl/private/
Andnginx
knows about these last three files (their paths are written in its configuration files).
The certificate is for the main domain (hainaux.net) and its subdomains (*.hainaux.net). All of this runs fine.
I've seen installing certbot
is easy.
My questions are:
- Is it possible to setup
certbot
to only perform renewals on an already working setup? - If yes, in order to use
certbot
only for future renewals, is it necessary to install the nginx and DNS plugins too? Or may that be skipped, asnginx
is already properly configured and the certificate is already correct (and includes wildcard domain names)? - Will it be enough to run
certbot
via a cron job like in the example provided at step 8 (wildcard certificate tab) at https://certbot.eff.org/lets-encrypt/freebsd-nginx?
I guess (though I am unsure) the answer to the 3d question is no, since renewals seem to rely on renewal configuration files.
So, would it be correct to create one manually? I just don't know how my files match the ones of the example renewal config file I've seen in the doc. I could try something like this:
archive_dir = ??
cert = ??
privkey = /etc/ssl/private/domain.key
chain = /etc/ssl/certs/chained.pem
fullchain = ??
And this should be stored in /etc/letsencrypt/renewal/
, but I am not sure what the CERTNAME
is, that should be used to name the renewal config file.
Or, maybe instead of a renewal config file, I should specify the required files via command line options (like --key-path
etc.) in the call of the cron job?