sudo systemctl stop nginx sudo docker run --rm -it -p80:80 -p443:443 -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --expand --standalone -d yolo.iix.se sudo systemctl start nginx
Extending the certificate to also cover www.iix.se sudo certbot certonly --standalone -d iix.se,www.iix.se,monit.iix.se,test.iix.se Sat Nov 04 11:14 W44 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/iix.se.conf) It contains these names: iix.se, monit.iix.se, test.iix.se You requested these names for the new certificate: iix.se, www.iix.se, monit.iix.se, test.iix.se. Do you want to expand and replace this existing certificate with the new certificate? ------------------------------------------------------------------------------- (E)xpand/(C)ancel: e Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for iix.se tls-sni-01 challenge for www.iix.se tls-sni-01 challenge for monit.iix.se tls-sni-01 challenge for test.iix.se /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/iix.se/fullchain.pem. Your cert will expire on 2018-02-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Crontab for renewal # m h dom mon dow command 15 3 * * * certbot renew --quiet --no-self-upgrade --pre-hook "systemctl stop nginx.service" --post-hook "systemctl start nginx.service" Docker alternative Note that if you run certbot in docker, you cannot use the –pre-hook and –post-hook as the other services cannot be changed through the docker container. Instead, you should create a script file, where you run the –pre-hook before the command and –post-hook afterwards ...