Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version): Both Apache and Nginx
The operating system my web server runs on is (include version): Amazon Linux 2
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0
As per certbot website link (Certbot Instructions | Certbot) , we can get only cert by running "sudo certbot renew --dry-run". I was not able to find instruction to install them.
My question is , in case of instance termination and new instance spins up how can I use old certificate ? What all changes are required to achieve that.
I can take backup of the certificate and use it on new instance .
I am able to install new certificate as part of user data script on new instance but would like to continue using old certificates if there is way. I tried checking the topics but did not find any related.
Help is much appreciated !!
Yes, you will need to have a cert in your instance before starting nginx or Apache. They must have any cert and private key files available at startup.
One idea to consider if you are using an AWS Load Balancer (like ELB) is to use an AWS ACM cert in ELB. This avoids needing a cert in your EC2 instances.
Giving specific advice is hard because of the many ways people design complex systems. In general, the "cert" is just a couple files needed at startup. So, whatever methods you use for other files for "seeding" your instance could be used for the cert files too. Some people use S3 or EFS or similar. In short, some persistent storage accessed on instance startup.
Trying to get a new Let's Encrypt cert from each fresh instance is usually not workable. Only 5 identical certs are allowed per week. Certs also take some time to get and may sometimes fail which is not acceptable for an instance start. You must also consider the time to install certbot unless you have it as part of your instance image.
thanks MikeMcQ. The above information helped lot. I have come up with solution to use same certificate if elastic beanstalk replaces the instance. Currently script works good for Apache proxy . I will work on Nginx and update script by end of the week.
Off the topic , when does certbot decides to renew the certificate if we have cron running daily for auto renew? Is it 10 days or 15 ?
Default for certbot is 30 days before expiry. It can be configured but Let's Encrypt recommend that. Gives plenty of time to resolve problems should they occur.
Thanks a lot :). I was thinking to write logic for checking expiry date and renew it but 30 days is best.
The issue I am facing with nginx is so far , I am not making any nginx configuration changes while installing certbot using ebextension. Whereas for apache I am using below file in .platform/httpd/conf.d/ :
So while deploying application on Apache proxy , this changes (manual as old cert is copied from S3) are being deployed using ebextension.
My next steps to reproduction is as :
a. Find changes done by certbot to nginx conf while installing bot
b. Use ebextension in way so that only new instance will be updated using nginx config
You mention Apache proxy and nginx.
Are both web servers running in the same server? [based on topic, I think no]
Are both web servers going to need certificate(s)? [based on topic, I think yes]
Hi rg305@,
thanks for getting back. Apologies for confusion.
Both servers are used in different elastic beanstalk environment. I am using ebextension to modify apache config file where as no config file modification is needed for nginx proxy. Will update this thread next week after more testing.
Thanks all for your support.