How to Simplify LetsEncrypt Certificate Expansion and Renewal with a Config File

In my post Securing the Blog with TLS, I created my TLS certificate using certbot and provided all options as command line parameters. Using this approach it is cumbersome to add new domain names to an existing certificate and it’s not easy to renew your certificate. At least not easy enough for me. After the second expiration notice, kindly provided by the Let’s Encrypt Expiry Bot, I wanted to simplify this task as much as possible. Certbot accepts a configuration file using the -c parameter.

Create a new configuration file, the directory is not important at all, I created mine inside /etc/letsencrypt/.

rsa-key-size = 4096
email = <Your contact e-mail address>
account = <Your Let's Encrypt account ID (32 character hex string, see below)
domains = <List of domain names to be included in the certificate: e.g. ",,">
text = True # Run certbot in text mode
agree-tos = True # Agree to the terms of service automatically
keep-until-expiring = True # Do not renew certificates that wont expire in the near future
non-interactive = True # Don't ask any questions
authenticator = webroot
webroot-path = /usr/share/nginx/html

If you already have created a certificate on the machine you can find your account ID in /etc/letsencrypt/accounts/ There will be a directory with a 32 character hex string as its name, thats your account ID. If there is no subdirectory, just omit the account line in your config.

To create your certificate you will now just have to run certbot certonly -c <full path to your config file>. Let’s encrypt will verify your domains and put your new certificates into its live directory automatically. Do not forget to point your web server configuration to the (possibly new) certificate location!

If you want to add a new domain name to your certificate, add it to the list of domains in your configuration file and run certbot certonly -c <full path to your config file> --expand, all done!

To renew your certificate just run certbot renew, certbot automatically manages renew configuration files inside its /etc/letsencrypt/renew directory.