Fossil SCM
The abbreviated certbot command didn't work here on my first Let's Encrypt renewal after writing the tls-nginx.md document, so changed that advice to use the full-strength form.
Commit
dadd1342197a5794f69cac649899860165c0edd3911dc98aa9fca28c59a4534f
Parent
3d827943481e96a…
1 file changed
+10
-4
+10
-4
| --- www/tls-nginx.md | ||
| +++ www/tls-nginx.md | ||
| @@ -563,17 +563,23 @@ | ||
| 563 | 563 | HSTS by explicitly using HTTPS URIs. |
| 564 | 564 | |
| 565 | 565 | |
| 566 | 566 | ## Step 7: Renewing Automatically |
| 567 | 567 | |
| 568 | -Now that the configuration is solid, you can renew the LE cert and | |
| 569 | -restart nginx with two short commands, which are easily automated: | |
| 568 | +Now that the configuration is solid, you can renew the LE cert with the | |
| 569 | +`certbot` command from above without the `--dry-run` flag plus a restart | |
| 570 | +of nginx: | |
| 570 | 571 | |
| 571 | - sudo certbot certonly --webroot | |
| 572 | + sudo certbot certonly --webroot \ | |
| 573 | + --webroot-path /var/www/example.com \ | |
| 574 | + -d example.com -d www.example.com \ | |
| 575 | + -d example.net -d www.example.net \ | |
| 576 | + --webroot-path /var/www/foo.net \ | |
| 577 | + -d foo.net -d www.foo.net | |
| 572 | 578 | sudo systemctl restart nginx |
| 573 | 579 | |
| 574 | -I put those in a script in the `PATH`, then arrange to call that | |
| 580 | +I put those commands in a script in the `PATH`, then arrange to call that | |
| 575 | 581 | periodically. Let’s Encrypt doesn’t let you renew the certificate very |
| 576 | 582 | often unless forced, and when forced there’s a maximum renewal counter. |
| 577 | 583 | Nevertheless, some people recommend running this daily and just letting |
| 578 | 584 | it fail until the server lets you renew. Others arrange to run it no |
| 579 | 585 | more often than it’s known to work without complaint. Suit yourself. |
| 580 | 586 |
| --- www/tls-nginx.md | |
| +++ www/tls-nginx.md | |
| @@ -563,17 +563,23 @@ | |
| 563 | HSTS by explicitly using HTTPS URIs. |
| 564 | |
| 565 | |
| 566 | ## Step 7: Renewing Automatically |
| 567 | |
| 568 | Now that the configuration is solid, you can renew the LE cert and |
| 569 | restart nginx with two short commands, which are easily automated: |
| 570 | |
| 571 | sudo certbot certonly --webroot |
| 572 | sudo systemctl restart nginx |
| 573 | |
| 574 | I put those in a script in the `PATH`, then arrange to call that |
| 575 | periodically. Let’s Encrypt doesn’t let you renew the certificate very |
| 576 | often unless forced, and when forced there’s a maximum renewal counter. |
| 577 | Nevertheless, some people recommend running this daily and just letting |
| 578 | it fail until the server lets you renew. Others arrange to run it no |
| 579 | more often than it’s known to work without complaint. Suit yourself. |
| 580 |
| --- www/tls-nginx.md | |
| +++ www/tls-nginx.md | |
| @@ -563,17 +563,23 @@ | |
| 563 | HSTS by explicitly using HTTPS URIs. |
| 564 | |
| 565 | |
| 566 | ## Step 7: Renewing Automatically |
| 567 | |
| 568 | Now that the configuration is solid, you can renew the LE cert with the |
| 569 | `certbot` command from above without the `--dry-run` flag plus a restart |
| 570 | of nginx: |
| 571 | |
| 572 | sudo certbot certonly --webroot \ |
| 573 | --webroot-path /var/www/example.com \ |
| 574 | -d example.com -d www.example.com \ |
| 575 | -d example.net -d www.example.net \ |
| 576 | --webroot-path /var/www/foo.net \ |
| 577 | -d foo.net -d www.foo.net |
| 578 | sudo systemctl restart nginx |
| 579 | |
| 580 | I put those commands in a script in the `PATH`, then arrange to call that |
| 581 | periodically. Let’s Encrypt doesn’t let you renew the certificate very |
| 582 | often unless forced, and when forced there’s a maximum renewal counter. |
| 583 | Nevertheless, some people recommend running this daily and just letting |
| 584 | it fail until the server lets you renew. Others arrange to run it no |
| 585 | more often than it’s known to work without complaint. Suit yourself. |
| 586 |