Answer the question
In order to leave comments, you need to log in
L
L
lagudal2021-03-18 15:51:58
lagudal, 2021-03-18 15:51:58
Certbot renew - how to write configs so that certificates are updated automatically?
Given: domain with three subdomains, vps ubuntu 20.04, nginx on 8080 via Varnish on port 80.
On these 3 subdomains on the site on Magento 2.
First, certificates from letsencrypt were installed (by default, certbot followed by certbot renew --dry-run), then Varnish and Magento instances were already installed, and nginx configs were configured for them.
Here is an example nginx config for one of the virtual hosts.
spoiler
server {
listen 8080;
server_name magento.site.com;
set $MAGE_ROOT /var/www/magento;
set $MAGE_DEBUG_SHOW_ARGS 0;
set $MAGE_MODE default;
include /var/www/magento/nginx.conf.sample;
}
server {
server_name magento.site.com;
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/magento.site.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/magento.site.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_pass http://127.0.0.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
}
}Everything works correctly until certbot tries to renew the certificates. In the morning of one day I get 3 expired certificates, manually - with configured configs - does not work -
Challenge failed for domain magento.site.comIn principle, by changing one nginx config to default, disabling the varnish and switching nginx to port 80, everything was updated, business for 5 minutes, but still ... How is it possible in such a configuration to force certbot to renew certificates automatically? I saw that it is proposed to add a varnish to the config
spoiler
backend certbot {
.host = "127.0.0.1";
.port = "8080";
}
sub vcl_recv {
if (req.url ~ "^/\.well-known/acme-challenge/") {
set req.backend_hint = certbot;
return(pipe);
}
}
sub vcl_pipe {
if (req.backend_hint == certbot) {
set req.http.Connection = "close";
return(pipe);
}
}but it did not help.
2 answer(s)
@AUser0
@shambler81
Well
A
AUser0, 2021-03-18 @AUser0
So certbot can renew an already issued certificate, and re-validation (configuring NGINX) is no longer necessary for this!
PS Remove --dry-run.
V
Viktor Taran, 2021-03-18 @shambler81
--dry-run - This, for testing purposes, emits issuance of certificates without wasting attempts while not creating files!
also do not forget that you need to apply certificates before that, test that the configs are valid.
somehow
* */12 * * * /usr/sbin/nginx -t && /usr/sbin/nginx -s reload >/dev/null 2>&1Well
certbot renew, half an hour before that.
Similar questions
H
S
Q
R
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question