Who wants to issue certificates manually if they can take Letsencrypt’s Certbot to the task.
Verify that your instructions are up to date
Always make sure that you are using the latest instructions for your application and your OS. First, visit:
Next, select your configuration and you are good to go.
Use –dry-run before running Certbot for real
By adding the flag:
--dry-run
to the commands renew or certonly, you can test your syntax without actually having any certificates issued on your behalf. As a result, you will receive detailed output in the console.
Renew a specific certificate by name
Renew a specific certificate by name:
certbot renew --cert-name cloudinsidr.com --dry-run
Run certbot multiple times to issue individual certificates for different groups of domains
Running certbot multiple times (namely: once per each virtual host) with the arguments -w and -d will yield multiple certificates. The -w flag specifies the web root. The -d flag specifies the corresponding domain.
As a result, Letsencrypt will issue one certificate per run and save each in a separate file.
Strive to issue one certificate for a domain and all its subdomains as this will reduce your exposure to Letsencrypt’s famous rate limits. To clarify: this works up to a fairly generous limit of 100 Names per Certificate. The main restriction is a metric called Certificates per Registered Domain. Letsencrypt has capped it at 50 per week as of this writing.
Stay away from wildcard certificates. They could pose a security risk.
List all of your certificates
If you want to see which certificates you have previously issued on any particular server instance, you can execute the command:
certbot certificates
The resulting output looks something like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: certificate-name1.com Domains: domain1.com domain2.com Expiry Date: 2019-10-17 13:37:37+00:00 (VALID: 86 days) Certificate Path: /etc/letsencrypt/live/certificate-name1.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/certificate-name1.com/privkey.pem Certificate Name: certificate-name2.com Domains: your-webshop1.com your-webshop2.com your-webshop3.com Expiry Date: 2019-09-14 16:14:02+00:00 (VALID: 53 days) Certificate Path: /etc/letsencrypt/live/certificate-name2.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/certificate-name2.com/privkey.pem Certificate Name: certificate-name3.com Domains: domain-name1.com domain-name2.com Expiry Date: 2019-10-17 14:32:14+00:00 (VALID: 86 days) Certificate Path: /etc/letsencrypt/live/certificate-name3.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/certificate-name3.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Allow a subset of domain names
The flag:
--allow-subset-of-names
tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system, for example:
certbot renew --cert-name cloudinsidr.com --dry-run --allow-subset-of-names
It currently fails with the option –force-renewal. In that case, use the syntax to add or remove domain names instead.
Add or remove domains
To add or remove domains, use:
certbot certonly --cert-name cloudinsidr.com -d cloudinsidr.com -d www.cloudinsidr.com -d ssl.cloudinsidr.com -d shop.cloudinsidr.com --dry-run
Renew certificates in a cronjob
There are several implementations of cron, so the details may vary. Generally speaking, you want to edit the jobs in the /etc/crontab file, for example:
nano /etc/crontab
Here is an example of how you would want this file to look once you are done editing:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 25 10 * * mon root certbot renew --cert-name byleapsandbounds.net --force-renewal --post-hook "systemctl reload nginx"
After saving changes to the /etc/crontab file, reload it by restarting the service:
/bin/systemctl restart crond.service
Remove certificates that you no longer need
Removing certificates from a system is as easy as running this command:
certbot delete --cert-name certificate-name.com
That’s it.
Leave a Reply