Certbot - Recipes
Table of Contents
How it works
Certbot:
- writes a challenge into a directory specified in a configuration file or
passed as argument. Pass the webroot as argument, certbot will write the
challenge into
<webroot>/.well-known/acme-challenge/
- tells their server to perform a request for the challenge file on the
website for which you are trying to obtain the certificate (e.g. something
along the lines of:
https*://<website>/.well-known/acme-challenge/<challenge_just_created>
- if the challenge succeeds, it emits the certificate and stores data in a configuration file for further renewals
How to renew certificates
Setup a Cron Job
This is the solutions suggested by Let’s Encrypt. Somehow I cannot manage to have the cron job working (Environment? Path? Who knows).
So, while trying to solve the issue, the two options below are those I use.
By hand, before certificate expiration
sudo su certbot renew
By hand, after certificate expiration
Renewing certificates after expiration is a bit trickier, especially if your configuration:
- redirects all traffic to
https
and you did not add an exception for serving.well-known/acme-challenge
fromhttp
. In fact, if all traffic is redirected tohttps
,certbot
fails, since it tries to load a challenge from a website with an invalid certificate and the request fails. - you are trying to renew a certificate for a web app and you
did not set a special rule to serve files from
.well-known/acme-challenge
.
So, if you are like me, namely not smart enough to have a configuration which manages these cases, the solution is as follows:
- Change the configuration so that:
- It responds to
http
(e.g., comment redirects tohttps
). - It makes
https://<webroot>/.well-known/acme-challenge/
visible on the Internet; see example rule below for Nginx. The rule is most often needed for webapps.
- It responds to
- Restart the server
- Launch
certbot renew
- Restore the configuration
- Restart the server
- Add a reminder to renew, next time, before expiration
Miss all reminders and warnings Let’s Encrypt sends, miss the reminder you set at step 6; start again from step 1.
location ^~ /.well-known/acme-challenge/ { alias /srv/http/.well-known/acme-challenge/; try_files $uri =404; }