Certbot is a PITA.
I switched to acme.sh https://github.com/acmesh-official/acme.sh perhaps 4 yrs ago and never looked back. The only times I've had issues with getting certs renewed was when I had firewall rules blocking access to parts of the world from which attacks originated. Now, I manually flush the firewall rules on the cert box just prior to renewal. Takes about 90 seconds for all the certs to be renewed, then I re-enable all the firewall rules. For internal websites and will never be accessible over the internet, but we still want LE certs for, I stop nginx and run a acme.sh in stand-alone mode to get the certs.
I think there's something that people don't like about the acme.sh project. Don't remember what that was. Just know that certbot only worked for me to create certs, but never to renew.
I would run a renewal to test everything for you, but our certs don't expire until late June. We renew every 77 days. A few times, when the renewals were problematic, we needed the extra days to figure out problems.
The renewal command I use looks like this:
Code:
# Some settings.
ACME_SETUP="--server letsencrypt --home $HOME/.acme.sh --nginx --renew --force"
KEYLENGTH="--keylength 4096"
~/.acme.sh$ sudo ./acme.sh $ACME_SETUP -d blog.jdpfu.com --standalone $KEYLENGTH
for all the proxied domains. I use nginx as a reverse proxy and load balancer. I have to stop nginx before running that command for each domain. I used to have a number of domains inside the same cert, but found that was being abused by people trying to access non-public domains, so I switched to 1 domain per cert.
For static websites hosted on the nginx reverse proxy system, renewals are easier.
Code:
~/.acme.sh$ sudo ./acme.sh $ACME_SETUP -d lpi.jdpfu.com $KEYLENGTH
They warn about using sudo, but since my certs are stored under /etc/ it isn't exactly possible for any other user to update them. In short, sudo is required for my specific setup.
I don't think the keylength option was honored last time I looked. Haven't really researched why not. I'm not doing ecommerce and don't really worry about privacy of the connections beyond what TLS v1.3 already provides. I specifically disable all earlier cipher versions.
Anyway, hope this is helpful in some way. Probably not, but at least you got a reply.
Bookmarks