In my post Securing the Blog with TLS, I created my TLS certificate using certbot and provided all options as command line parameters. Using this approach it is cumbersome to add new domain names to an existing certificate and it’s not easy to renew your certificate. At least not easy enough for me. After the second expiration notice, kindly provided by the Let’s Encrypt Expiry Bot, I wanted to simplify this task as much as possible. Certbot accepts a configuration file using the
Create a new configuration file, the directory is not important at all, I created mine inside
rsa-key-size = 4096 email = <Your contact e-mail address> account = <Your Let's Encrypt account ID (32 character hex string, see below) domains = <List of domain names to be included in the certificate: e.g. "jonaskoeritz.de, www.jonaskoeritz.de, blog.jonaskoeritz.de"> text = True # Run certbot in text mode agree-tos = True # Agree to the terms of service automatically keep-until-expiring = True # Do not renew certificates that wont expire in the near future non-interactive = True # Don't ask any questions authenticator = webroot webroot-path = /usr/share/nginx/html
If you already have created a certificate on the machine you can find your account ID in
There will be a directory with a 32 character hex string as its name, thats your account ID. If there is no subdirectory, just omit the
account line in your config.
To create your certificate you will now just have to run
certbot certonly -c <full path to your config file>. Let’s encrypt will verify your domains and put your new certificates into its live directory automatically. Do not forget to point your web server configuration to the (possibly new) certificate location!
If you want to add a new domain name to your certificate, add it to the list of domains in your configuration file and run
certbot certonly -c <full path to your config file> --expand, all done!
To renew your certificate just run
certbot renew, certbot automatically manages renew configuration files inside its