Check-in [dadd134219]
Not logged in
Home Timeline Branches Tags Tickets Wiki Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:The abbreviated certbot command didn't work here on my first Let's Encrypt renewal after writing the tls-nginx.md document, so changed that advice to use the full-strength form.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: dadd1342197a5794f69cac649899860165c0edd3911dc98aa9fca28c59a4534f
User & Date: wyoung 2019-04-02 03:26:19.976
Context
2019-04-03
18:33
Update the built-in SQLite to the latest 3.28.0 alpha version. check-in: 41974e0881 user: drh tags: trunk
2019-04-02
03:26
The abbreviated certbot command didn't work here on my first Let's Encrypt renewal after writing the tls-nginx.md document, so changed that advice to use the full-strength form. check-in: dadd134219 user: wyoung tags: trunk
2019-04-01
00:43
Clean up the detection of BIO_ADDR_hostname_string by removing redundant definitions; apparently autosetup has a feature which automatically creates a define with HAVE_ prepended for whatever function is intended to be detected. check-in: 3d82794348 user: andybradford tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to www/tls-nginx.md. 
561
562
563
564
565
566
567
568

569
570
571





572
573
574
575
576
577
578
579
580
581

sufficiently capable and motivated attacker unless you’ve also gone
ahead and [enabled HSTS](#hsts).  You can put off the need to enable
HSTS by explicitly using HTTPS URIs.


## Step 7: Renewing Automatically

Now that the configuration is solid, you can renew the LE cert and

restart nginx with two short commands, which are easily automated:

      sudo certbot certonly --webroot





      sudo systemctl restart nginx

I put those in a script in the `PATH`, then arrange to call that
periodically.  Let’s Encrypt doesn’t let you renew the certificate very
often unless forced, and when forced there’s a maximum renewal counter.
Nevertheless, some people recommend running this daily and just letting
it fail until the server lets you renew.  Others arrange to run it no
more often than it’s known to work without complaint.  Suit yourself.










|
>
|

|
>
>
>
>
>


|








561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587

sufficiently capable and motivated attacker unless you’ve also gone
ahead and [enabled HSTS](#hsts).  You can put off the need to enable
HSTS by explicitly using HTTPS URIs.


## Step 7: Renewing Automatically

Now that the configuration is solid, you can renew the LE cert with the
`certbot` command from above without the `--dry-run` flag plus a restart
of nginx:

      sudo certbot certonly --webroot \
         --webroot-path /var/www/example.com \
             -d example.com -d www.example.com \
             -d example.net -d www.example.net \
         --webroot-path /var/www/foo.net \
             -d foo.net -d www.foo.net
      sudo systemctl restart nginx

I put those commands in a script in the `PATH`, then arrange to call that
periodically.  Let’s Encrypt doesn’t let you renew the certificate very
often unless forced, and when forced there’s a maximum renewal counter.
Nevertheless, some people recommend running this daily and just letting
it fail until the server lets you renew.  Others arrange to run it no
more often than it’s known to work without complaint.  Suit yourself.
Fossil version [1205ec86cb] 2025-04-30 16:57:32