How to renew only one domain with certbot? - lets-encrypt

I have multiple domains with multiple certificates:
$ ll /etc/letsencrypt/live/
> domain1.com
> domain2.com
> domain3.com
> ...
I need to renew only domain1.com, but the command certbot renew renews certificates for all domains. How can I renew certain certificate explicitly?

Renew a single certificate using renew with the --cert-name option.
(certonly creates a certificate for one or more domains, replacing it if exists).
Example
certbot renew --cert-name domain1.com --dry-run
Remove --dry-run to actually renew.
Cert-name != Domain name
Note that the value supplied to --cert-name option is a certificate name (not a domain name) found using
certbot certificates
Returning a list like
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: myfundomains.com
Domains: myfundomains.com
Expiry Date: 2018-05-04 04:28:05+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/myfundomains.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myfundomains.com/privkey.pem
Certificate Name: ask.myfundomain.com
Domains: ask.myfundomain.com
Expiry Date: 2018-03-13 18:59:40+00:00 (VALID: 16 days)
Certificate Path: /etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ask.myfundomain.com/privkey.pem
Certificate Name: forums.myfundomain.com
Domains: forums.myfundomain.com forum.myfundomain.com
Expiry Date: 2018-04-11 16:39:18+00:00 (VALID: 45 days)
Certificate Path: /etc/letsencrypt/live/forums.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/forums.myfundomain.com/privkey.pem
-------------------------------------------------------------------------------
Notice how the third Certificate name (forums.myfundomain.com) contains multiple domains:
forums.myfundomains.com
forum.myfundomains.com
Restart Apache / nginx
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
-------------------------------------------------------------------------------
Remember to restart your webserver to make use of the new certificate.

You can use this command (for Apache server):
certbot --apache certonly -n -d domain1.com
--apache for apache server, use --nginx flag for nginx server
-n option execute the command without prompt
-d domain1.com to execute only for domain1.com
You can test with --dry-run, and you can use --pre-hook and --post-hook like with certbot renew
Source : https://certbot.eff.org/docs/using.html#renewing-certificates

You can use this command on Nginx server
Stop Nginx server
sudo systemctl stop nginx
Renew certbot
sudo certbot certonly --force-renew -d domain1.com
Start Nginx server
sudo systemctl start nginx
Check current certs
sudo certbot certificates
Results:
Found the following certs: Certificate Name: domain1.com Serial
Number: 4564f55f3fe993964f8bbc65249a7ed4c91 Key Type: RSA Domains:
domain1.com Expiry Date: 2022-12-19 01:34:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem

Related

certbot renew in the wrong folder

When I do
certbot certonly --force-renew -d mywebsite.com
It creates a new cert into the wrong folder, adding -0001. And it says:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mywebsite.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mywebsite.com-0001/privkey.pem
And of course the folder /etc/letsencrypt/live/mywebsite.com is not updated.
How can I force certbot to renew in the good folder?
Of course after service nginx reload, when I check the cert in Chrome on mywebsite.com there is no change.
In the NGinx conf, I have:
server {
server_name mywebsite.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem;
It seems that you are certonly when you should be using renew. And it is installing a duplicate certificate not renewing the existing.
When you get the initial certificate you can get it using the above command. It is interactive to the user (or you can make it --non-interactive)
Renewal process is automatic. certbot renew command will check for all certificates that are about to expire in /etc/letsencrypt/ (or whatever directory you tell certbot to use) and it will renew those that are nearing expiry. You run the renew command from cron and it's ok to run it daily or so - it will not really renew anything until certificates are about to expire.

Single laravel install, multiple domains, SSL Encryption

I'm building an app in Laravel that has a single codebase that will serve multiple domain names, a new domain can be added in the CMS, and all that should have to be done for that new domain to work is have it's records pointed to the server. The CMS itself will then display the appropriate pages for that domain, based on the request()->getHost(); function.
The app is being managed with Laravel Forge.
My question is regarding nginx, and LetsEncrypt: I would like all new domains added in this way to be secured via SSL, would every new domain need to be added to forge manually, or is there some way to allow a wildcard TLD in the certificate? (And if so, is that a security risk?).
Will nginx require some specific configuration to work with wildcard TLDs?
My aim is to avoid additional configuration and have it automatic, with the domain name simply being added to the backend.
Thanks!
Please follow the Steps. Hope it will work for you.
1 - First clone Letsencrypt/Certbot repo from Github
cd /opt
git clone https://github.com/certbot/certbot.git
2 - Now enter new created directory and run certificate bot
cd certbot
./letsencrypt-auto certonly --manual --preferred-challenges=dns --email mymail#gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mywebsite.com
3 - Now Certbot will ask for a DNS record to check that if you really have rights at this domain.
------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.mywebsite.com with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
------------------------------------------------------------------
Press Enter to Continue
4 - After adding this DNS TXT record to your domain and wait for few seconds press enter and continue.
5 - Your certificate is ready!
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mywebsite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mywebsite.com/privkey.pem
Your cert will expire on 2018-08-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6 - Now we will copy our fullchain.pem and privkey.pem to our Nginx folder and add this to our Nginx server configuration. For example;
server {
listen 443 ssl;
server_name test.mywebsite.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
...
Hope it will helpful.

How to get wildcard cert from LetsEncrypt and install to several postion?

Let'sencrypt cert is used in several software in my vps server: apache,postfix,dovecot.
Besides example.com,I need one wildcard cert to cover mail.example.com,www.example.com
Then I tried:
acme.sh --install-cert -d *.example.com -d example.com --dns dns_cf --key-file /etc/pki/dovecot/private/*.example.com.key --fullchain-file /etc/pki/dovecot/certs/examplefullchain.cer --fullchain-file /etc/apache2/fullchain.cer --key-file /etc/apache2/*.example.com.key
The result is Domain is not valid:'*.exmaple.com'
My system is centos 7.4,bash version 4.2.46(2)-release (x86_64-redhat-linux-gnu),acme.sh v2.8.0
Thanks inadvence for any solution!

Switching from let's encrypt staging to production

I’m using ubuntu 18.04.1 LTS with docker / docker compose and traefik. The setup to get certificates is working fine using the staging Let’s Encrypt caserver (https://acme-staging-v02.api.letsencrypt.org/directory). All my specified hosts do get a Fake LE Intermediate X1cert. There are no errors in the logs.
I can however not enable Let’s Encrypt production certs.
In the traefik.toml file - [acme] I deleted the staging caserver uri: no error in the logs / no production cert (staging cert is still applied). Even when I add the Let’s Encrypt prod uri (https://acme-v02.api.letsencrypt.org/directory 2) although it should default, result is sill the same: no prod certs and acme.json still shows the staging uri.
The traefik [acme]:
[acme]
email = "someone#gmail.com"
caserver = "https://acme-v02.api.letsencrypt.org/directory 2"
storage="acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "mydomain"
[[acme.domains]]
…
What am I missing? Appreciate your input.
Issue is solved.
Delete the acme.json & recreate the file. Initially I deleted the content of the acme file but that did not work as explained earlier.
Delete the staging domain:
certbot delete --cert-name example.com
And then retrieve another certificate.
I had the same question. On a server I had issued a cert for 16 domains using the Let's Encrypt staging server using:
sudo certbot --test-cert --apache -d example.com -d www.example.com
To switch over to Let's Encrypts production I ran:
sudo certbot --force-renewal --apache -d example.com -d www.example.com
force-renewal did the trick. But don't run this to many times as you risk hitting LE's rate limit.

Letsencrypt renewal fails: Could not bind to IPv4 or IPv6.. Skipping

The full error message I'm getting is:
Attempting to renew cert from /etc/letsencrypt/renewal/somedomain.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
This is running on an AWS ubuntu 14.04 instance. All ports are open outgoing and 443 is open incoming.
You just need to stop all running servers like Apache, nginx or OpenShift before doing this.
Stop Nginx
sudo systemctl stop nginx
Stop Apache2
sudo systemctl stop apache2
you probably run the script with (preconfigurated) --standalone when your server is already running at port 443.
You can stop server before renew and start them after.
man says:
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script hooks
If I run renew with --apache I can't get any error.
As hinted in the other answers, you need to pass the option for your running webserver, for example:
Without webserver param:
sudo certbot renew
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:tls-sni-01 challenge for example.com
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected
error:
Problem binding to port 443: Could not bind to IPv4 or IPv6..
Skipping.
Then, again with the webserver param (success):
sudo certbot renew --nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges: tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been
renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success)
[This is specifically for ubuntu]
Login as root user to your server
Stop your server using the following command (for nginx)
service nginx stop
Then renew your certificate
certbot renew
Start your server
service nginx start
[TIP] To check the expiry date of your renewed certificate, enter the command below
ssl-cert-check -c [Path_to_your_certificate]/fullchain.pem
For example
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/fullchain.pem
Or
ssl-cert-check -c /etc/letsencrypt/live/[your_domain_name]/cert.pem
If you don't have ssl-cert-check already installed in your server, install it using
apt install ssl-cert-check
Note: The certificate can be renewed only if it is not expired. If it is expired, you have to create new one.
For NodeJS/PM2 users
I was using PM2 for my NodeJS service and when trying to renew the certificate I also got the "Problem binding to port 80: Could not bind to IPv4 or IPv6." error message.
As mentioned in above answers for Apache/Ngnix, Stopping my service and then trying to renew solved the problem.
pm2 stop all
sudo certbot renew
pm2 start all
First you need to install NGiNX lets encrypt plugin (if you work with NGiNX):
sudo apt install python-certbot-nginx
Then you can safely run:
sudo certbot renew --nginx
and it will work.
Note: certbot should already be installed.
For ngnix
sudo certbot renew --nginx
This happened because you used --standalone. The purpose of that option is to launch a temporary webserver because you don't have one running.
Next time use the --webroot method, and you'll be able to use your already running nginx server.
Borrowing from #JKLIR Simply run
/etc/letsencrypt/letsencrypt-auto renew --apache >> /var/log/letsencrypt/renew.log
to renew the ssl certificate
If you're trying to perform the certbot command as a regular user, you may not have access to bind to port 80 and other lower ports. If this is the case, you can grant python access to bind via:
First, see if you can find python 3+ (adjust as needed)
echo "$(readlink -f "$(which python3)")"
Allow python to open port 80 as a regular user (adjust as needed)
sudo setcap CAP_NET_BIND_SERVICE=+eip "$(readlink -f "$(which python3)")"
Re-run the failing certbot command.
Important: On Ubuntu 18.04, Python is called python3. It may be called a number of different things depending on the OS and how you obtained certbot. This command WILL VARY between OSs.
Warning: These lower ports are restricted for good reason. There are security considerations with the setcap command. You may read more about them here: https://superuser.com/a/892391
I use Nginx and needed to stop the server before I can proceed. Then I run the command:
$ sudo ./certbot-auto certonly --standalone -d chaklader.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chaklader.ddns.net
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxx.chakfffder#gmail.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cdddddder.ddns.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/chaklader.ddns.net/privkey.pem
Your cert will expire on 2045-01-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
I had a similar issue when I was running two websites (hosts) on a single instance. I stopped Nginx and then ran sudo certbot certonly --standalone --preferred-challenges http -d domain.com -d www.domain.com. After restarting Nginx everything started to work fine.

Resources