M
M
mcrack2021-03-09 11:18:04
Nginx
mcrack, 2021-03-09 11:18:04

How to not generate certificates for some domains in nginx certbot?

Hello, can you please tell me if it is possible to cancel the generation of certificates on some domains?

There is a configured vhost file, in crontab I have the following command to generate Letsencrypt certificates:
10 0 * * 1 /usr/bin/certbot renew --force-renewal >> /home/user/le-renew.log

So, I don't want to on one of the sites to do more certificate generation, the service should be available only on port 80. Can I somehow remove one of the domains from the list of generated certificates?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
M
mureevms, 2021-03-09
@mcrack

Just delete the domain config file from the /etc/letsencrypt/renewal. Or, if there is only one file, delete the line of the unnecessary domain.

V
Viktor Taran, 2021-03-09
@shambler81

No, it's technically not possible, it
's a matter of technology and the mutual exclusion of crutches.
Because according to RFC tcp/ip one daemon can have either a unique ip or a port for identification on the network.
You must have a unique white IP for each site, since you cannot change the port,
of course you will not have enough of these IPs. According to this, a crutch was made that allows you to keep any number of sites on the same port and IP.
The mechanism of such a
web server asks your browser httprefer in it parses the host string
and on the basis of this host substitutes the desired site config.
BUT with https, this cannot happen
why, because answer the question that you will first receive data over the channel or require keys from the channel?
The keys are correct, and in order to find out which config to substitute, you need to receive data via this channel.
In general, the web server cannot physically determine which site you are breaking into until it receives the keys.
The port is open and it listens, so you won't be able to block anything here either.
What to do.
1. issue the keys
2.

server {
       listen 443 ssl;
       server_name 1nnm.ru www.1nnm.ru www.dosug-org.ru dosug-org.ru   ;
       ssl_certificate        /etc/ssl/certs/ssl-cert-snakeoil.pem;
       ssl_certificate_key    /etc/ssl/private/ssl-cert-snakeoil.key;
       root /var/www/html;
       return 444;
}

Actually, this way you will not have a site on https
1. And if you have at least 1 site received https, then all the others now open on it
2. The absence of keys to these sites will not cancel opening them on https (because the web server in this matter generally brutal logic, he will take the nearest keys (in alphabetical order) and substitute them for everything, as a result you will also open someone else's site.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question