Upgrade path from 0.4 to latest certbot and using Cloudflare DNS renewal


#1

Hello!

I’ve been running Ubuntu+Serverpilot+Letsencrypt succesfully for a while. Installation and renewal was configured using this automatic script: https://github.com/rehmatworks/serverpilot-letsencrypt

A few months ago I installed cloudflare to act as a global proxy cache for all my pages and files, and I discovered (the hard way) that this broke certificate renewal. I’ve looked at the options for renewing certificated that are behind the cloudflare proxy and one recommendation is webroot, but I don’t think that’s right for me because I configured my server to redirect all http traffic to https and I like to keep it that way.
Then there is the DNS option for which there is the cloudflare plugin: https://certbot-dns-cloudflare.readthedocs.io/en/latest/
This seems like the correct solution for me but I have 3 questions:

1.The Ubuntu package I have now doesn’t support DNS renewal, so I guess I’ll have to uninstall that and install the latest version manually, is there any documentation for this upgrade path?
2. My certificates were installed with the letsencrypt command (version 0.4) but now I see the documentation refers to “certbot” as the main command, will the latest certbot command still read my certs and renewal/.conf files from /etc/letsencrypt?
3. My certificates are currently renewed using this command in cron: “sudo service nginx-sp stop && yes | letsencrypt --standalone renew &>/dev/null && service nginx-sp start && service nginx-sp reload” – Will I simply replace this with the cloudflare renewal command or do I also have to update my /renewal/
.conf files to indicate the usage of DNS01 renewal? or do I have to delete my certificates and install new ones (I hope not because I have no experience with manual installation and nginx configuration)


#2

I’m not familiar with serverpilot…
But I’ve followed these instructions without fail: https://certbot.eff.org/all-instructions/
Using different versions of Ubuntu with Apache and Nginx.

But to try and answer your questions.
#1 Not sure. Certbot is the new name for LetEncrypt so it might be less complicated than you think.
#2 Yes. They both use the same path and file structure, etc.
#3 If you are going to use DNS option, the cloudflare renewal command seems to get the cert in a certonly fashion, you will still have to restart nginx after the renewal. You should not have to delete any certs.


#3

Hi @perikles,

You can use webroot authentication method with your current conf, doesn’t matter whether you are redirecting http to https, Let’s Encrypt will follow the redirection to validate your domain.

Cheers,
sahsanu


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.