I came across this recommendation for securing a Wordpress site
Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 20.04 server.
apt install certbot python3-certbot-apache
certbot --apache --agree-tos --redirect --hsts --uir --staple-ocsp --email you@example.com -d yourdomain.com,www.yourdomain.com
Where
--apache: Use the Apache plugin.
--agree-tos: Agree to terms of service.
--redirect: Force HTTPS by 301 redirect.
--hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
--uir: Add the “Content-Security-Policy: upgrade-insecure-requests” header to every HTTP response.
--staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.
--email: Email used for registration and recovery contact.
-d flag is followed by a list of domain names, separated by comma. You can add up to 100 domain names.
The certificate should now be obtained and automatically installed.
First - is there a difference between this programs ( Certbot python3-certbot-apache )
and the Snap installed version?
Are they compatible?
Second -
The above has additional security parameters which would seem to be
a good idea. Are these not available in the Snap version?
Installing with apt gets you the certbot supplied with your Ubuntu distro. Those are older versions than the snap (often considerably older and infrequently updated). snap is best as easy to keep current and is the focus of EFF forward. Others can provide considerably more details but that is the highlight.
Thanks for your responses.
I am using Certbot installed with snap
I checked through the linked command options (thanks) and see that these
are available: --redirect --hsts --uir --staple-ocsp
All seem to be very sensible options to have.
To apply these options, will I need to delete existing certificates and re-create them?
No; Deleting certs is never required to change certbot versions.
If those parameters were already there, they will continue to be used after the upgrade.
If any of those parameters were NOT there before the upgrade, then you will have to issue a cert with them (or manually add them to the related VHOSTs).