Reload nginx config without forced certificat renewal? about docker-nginx-certbot HOT 7 CLOSED

Hi aschneider,

Hmmm, I thought certbot was clever enough to figure that stuff out. Are you adding and removing domains in the config when you are doing changes so there is actually a diff in the renewal request made?

Also, you should not need a restart of the container to reload configs, it should be enough with a docker kill --signal=HUP <conatiner> to have everything do a hot reload. If you are interested in only reloading nginx (and not trigger any renewal checks) you can target Nginx directly via docker exec -it <conatiner> nginx -s reload.

from docker-nginx-certbot.

Because we do use this setting, which I read as no update will be made to the certificate unless needed

automation:
  Flags for automating execution & other tweaks

  --keep-until-expiring, --keep, --reinstall
                        If the requested certificate matches an existing
                        certificate, always keep the existing one until it is
                        due for renewal (for the 'run' subcommand this means
                        reinstall the existing certificate). (default: Ask)

from docker-nginx-certbot.

Hello Jonas,

thank you for the response appreciated!

what I am doing is usually adding one such block to my config. Always creating a new subdomain in my TLD for the new service I came up with. And then pointing it to some host:port in my home lab.

server {
listen 443 ssl;
server_name newsubdomain.mytld.com;

ssl_certificate     /etc/letsencrypt/live/newsubdomain.mytld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/newsubdomain.mytld/privkey.pem;

... some SSL setting ...

access_log            /var/log/nginx/newsubdomain.mytld.access.log;

location / {
   ... some proxy headers...
   
    proxy_pass          http://10.10.10.230:80; 
    proxy_redirect      http://10.10.10.230:80 https://newsubdomain.mytld.com;
}

}

(sorry for the formatting, can't get it to work :( )

important to note, I have one big old nginx.conf file where I am adding all the servers currently. I was wondering whether it would make a difference for certbot if all definitions were in a separate conf file? Anything else I am doing here that might screw with certbot?

I am quite hesitant to troubleshoot and test different ways here, because if it goes wrong I am quickly locked out by letsencrypt and I have a couple of services that do have production users whilst others are homeassistant or other non important stuff. Ans switich to staging does not make the issue visible and switching back requires new certs and therefore the issue is even more prominent.

I will try the nginx reload mechanism though, thank you! That way I can add a service, which wont get a cert until the next renewal run is scheduled - which schould be fine I guess!

from docker-nginx-certbot.

I am not at my computer right now so can't give you any nice links, but I the docs there should be information regarding how my scripts assemble the requests, and what limits Let's Encrypt impose.

I think you will benefit from splitting into smaller configs, where all servers in one config shares the same certificate.

Also, if you read the advanced docs you can find information on how you can override my scripts in case you want to issue a star certificate instead, which means you can reuse the same one for all servers.

from docker-nginx-certbot.

Wildcard Cert sounds interesting! Did not know that was possible with let's encrypt. That might solve the issue entierly. I'll consult the docs and report back. Thank you!

from docker-nginx-certbot.

the splitting up in separate nginx files has already worked. I seem to be able to request much more certs than before without running into any limits. Using wildcard did not work for me since my domain/dns hoster "united domains" does not seem to be supported.
So having one big conf file seems to request for each server name with the names of all the domains and therefore produces parallel requests.

Thank you very much for your assistance, appreciated!

from docker-nginx-certbot.

Glad it was as simple as that.

However, if you want to add support for your DNS provider I am open for pull requests :)

from docker-nginx-certbot.