Fossil

Check-in [dadd1342]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:The abbreviated certbot command didn't work here on my first Let's Encrypt renewal after writing the tls-nginx.md document, so changed that advice to use the full-strength form.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: dadd1342197a5794f69cac649899860165c0edd3911dc98aa9fca28c59a4534f
User & Date: wyoung 2019-04-02 03:26:19
Context
2019-04-03
18:33
Update the built-in SQLite to the latest 3.28.0 alpha version. check-in: 41974e08 user: drh tags: trunk
2019-04-02
03:26
The abbreviated certbot command didn't work here on my first Let's Encrypt renewal after writing the tls-nginx.md document, so changed that advice to use the full-strength form. check-in: dadd1342 user: wyoung tags: trunk
2019-04-01
00:43
Clean up the detection of BIO_ADDR_hostname_string by removing redundant definitions; apparently autosetup has a feature which automatically creates a define with HAVE_ prepended for whatever function is intended to be detected. check-in: 3d827943 user: andybradford tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/tls-nginx.md.

561
562
563
564
565
566
567
568
569

570
571





572
573
574
575
576
577
578
579
580
581
sufficiently capable and motivated attacker unless you’ve also gone
ahead and [enabled HSTS](#hsts).  You can put off the need to enable
HSTS by explicitly using HTTPS URIs.


## Step 7: Renewing Automatically

Now that the configuration is solid, you can renew the LE cert and
restart nginx with two short commands, which are easily automated:


      sudo certbot certonly --webroot





      sudo systemctl restart nginx

I put those in a script in the `PATH`, then arrange to call that
periodically.  Let’s Encrypt doesn’t let you renew the certificate very
often unless forced, and when forced there’s a maximum renewal counter.
Nevertheless, some people recommend running this daily and just letting
it fail until the server lets you renew.  Others arrange to run it no
more often than it’s known to work without complaint.  Suit yourself.









|
|
>

|
>
>
>
>
>


|







561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
sufficiently capable and motivated attacker unless you’ve also gone
ahead and [enabled HSTS](#hsts).  You can put off the need to enable
HSTS by explicitly using HTTPS URIs.


## Step 7: Renewing Automatically

Now that the configuration is solid, you can renew the LE cert with the
`certbot` command from above without the `--dry-run` flag plus a restart
of nginx:

      sudo certbot certonly --webroot \
         --webroot-path /var/www/example.com \
             -d example.com -d www.example.com \
             -d example.net -d www.example.net \
         --webroot-path /var/www/foo.net \
             -d foo.net -d www.foo.net
      sudo systemctl restart nginx

I put those commands in a script in the `PATH`, then arrange to call that
periodically.  Let’s Encrypt doesn’t let you renew the certificate very
often unless forced, and when forced there’s a maximum renewal counter.
Nevertheless, some people recommend running this daily and just letting
it fail until the server lets you renew.  Others arrange to run it no
more often than it’s known to work without complaint.  Suit yourself.