Category: certbot

Using certbot apply let’s encrypt certificate

Using certbot apply let's encrypt certificate

In order to use NGINX module, certbot needs to use it's own NGINX server or it needs to modify the NGINX configuration.

Steps

Preparation

  • Shutdown application which listening on port 80 and port 443
docker stop nginx
  • Install software if haven't installed

Note: skip this step if packages installed

apt install certbot
apt install python3-certbot-nginx
  • Request certificate

Note: do not need to start nginx service, certbot will start it automatically

certbot certonly --nginx -d <domain1> -d <domain2> -d <domain3>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/<domain1>.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for <domain1> and <domain2>

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain1>/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/<domain1>/privkey.pem
This certificate expires on 2023-05-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for <domain1> to /etc/nginx/sites-enabled/default
Successfully deployed certificate for <domain2> to /etc/nginx/sites-enabled/default
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • certificate location

Certificate can be found in following directory

ls /etc/letsencrypt/live/domain1/
  • stop nginx created by certbot
systemctl stop nginx
systemctl disable nginx
  • setup docker certificates

Copy privkey.pem and fullchain.pem into docker configuration directory.

Troubleshooting

All domains in the command lines must be resolved to the running host for both port 80 and port 443, otherwise the certificate can not be created.

Another way

Run certbot docker choud be better as no additional package install, and the certbot service can be stopped using docker command

References

Issue using certbot with nginx
Get Certbot