{"id":2581,"date":"2019-07-22T14:56:24","date_gmt":"2019-07-22T21:56:24","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=2581"},"modified":"2019-07-29T11:33:39","modified_gmt":"2019-07-29T18:33:39","slug":"letsencrypt-tips-and-tricks","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/","title":{"rendered":"Letsencrypt tips and tricks"},"content":{"rendered":"<p>Who wants to issue certificates manually if they can take Letsencrypt&#8217;s Certbot to the task.<\/p>\n<p><!--more--><\/p>\n<h2>Verify that your instructions are up to date<\/h2>\n<p>Always make sure that you are using the latest instructions for your application and your OS. First, visit:<\/p>\n<p><a href=\"https:\/\/certbot.eff.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/certbot.eff.org\/<\/a><\/p>\n<p>Next, select your configuration and you are good to go.<\/p>\n<h2>Use &#8211;dry-run before running Certbot for real<\/h2>\n<p>By adding the flag:<\/p>\n<pre>--dry-run<\/pre>\n<p>to the commands renew or certonly, you can test your syntax without actually having any certificates issued on your behalf. As a result, you will receive detailed output in the console.<\/p>\n<h2>Renew a specific certificate by name<\/h2>\n<p>Renew a specific certificate by name:<\/p>\n<pre>certbot renew --cert-name cloudinsidr.com --dry-run<\/pre>\n<h2>Run certbot multiple times to issue individual certificates for different groups of domains<\/h2>\n<p>Running certbot multiple times (namely: once per each virtual host) with the arguments -w and -d will yield multiple certificates. The -w flag specifies the web root. The -d flag specifies the corresponding domain.<\/p>\n<p>As a result, Letsencrypt will issue one certificate per run and save each in a separate file.<\/p>\n<p>Strive to issue one certificate for a domain and all its subdomains as this will reduce your exposure to Letsencrypt&#8217;s famous rate limits. To clarify: this works up to a fairly generous limit of 100 <strong>Names per Certificate.<\/strong> The main restriction is a metric called <strong>Certificates per Registered Domain<\/strong>. Letsencrypt has capped it at <a href=\"https:\/\/letsencrypt.org\/docs\/rate-limits\/\" target=\"_blank\" rel=\"noopener noreferrer\">50 per week as of this writing<\/a>.<\/p>\n<p>Stay away from wildcard certificates. They could pose a security risk.<\/p>\n<h2>List all of your certificates<\/h2>\n<p>If you want to see which certificates you have previously issued on any particular server instance, you can execute the command:<\/p>\n<pre>certbot certificates<\/pre>\n<p>The resulting output looks something like this:<\/p>\n<pre>Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nFound the following certs:\r\nCertificate Name: certificate-name1.com\r\nDomains: domain1.com domain2.com\r\nExpiry Date: 2019-10-17 13:37:37+00:00 (VALID: 86 days)\r\nCertificate Path: \/etc\/letsencrypt\/live\/certificate-name1.com\/fullchain.pem\r\nPrivate Key Path: \/etc\/letsencrypt\/live\/certificate-name1.com\/privkey.pem\r\nCertificate Name: certificate-name2.com\r\nDomains: your-webshop1.com your-webshop2.com your-webshop3.com\r\nExpiry Date: 2019-09-14 16:14:02+00:00 (VALID: 53 days)\r\nCertificate Path: \/etc\/letsencrypt\/live\/certificate-name2.com\/fullchain.pem\r\nPrivate Key Path: \/etc\/letsencrypt\/live\/certificate-name2.com\/privkey.pem\r\nCertificate Name: certificate-name3.com\r\nDomains: domain-name1.com domain-name2.com\r\nExpiry Date: 2019-10-17 14:32:14+00:00 (VALID: 86 days)\r\nCertificate Path: \/etc\/letsencrypt\/live\/certificate-name3.com\/fullchain.pem\r\nPrivate Key Path: \/etc\/letsencrypt\/live\/certificate-name3.com\/privkey.pem\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/pre>\n<h2>Allow a subset of domain names<\/h2>\n<p>The flag:<\/p>\n<pre>--allow-subset-of-names<\/pre>\n<p>tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system, for example:<\/p>\n<pre>certbot renew --cert-name cloudinsidr.com --dry-run --allow-subset-of-names<\/pre>\n<p>It currently fails with the option &#8211;force-renewal. In that case, use the syntax to add or remove domain names instead.<\/p>\n<h2>Add or remove domains<\/h2>\n<p>To add or remove domains, use:<\/p>\n<pre>certbot certonly --cert-name cloudinsidr.com -d cloudinsidr.com -d www.cloudinsidr.com -d ssl.cloudinsidr.com -d shop.cloudinsidr.com --dry-run<\/pre>\n<h2>Renew certificates in a cronjob<\/h2>\n<p>There are several implementations of cron, so the details may vary. Generally speaking, you want to edit the jobs in the \/etc\/crontab file, for example:<\/p>\n<pre>nano \/etc\/crontab<\/pre>\n<p>Here is an example of how you would want this file to look once you are done editing:<\/p>\n<pre>SHELL=\/bin\/bash\r\nPATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\r\nMAILTO=root\r\n\r\n# For details see man 4 crontabs\r\n\r\n# Example of job definition:\r\n# .---------------- minute (0 - 59)\r\n# | .------------- hour (0 - 23)\r\n# | | .---------- day of month (1 - 31)\r\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\r\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\r\n# | | | | |\r\n# * * * * * user-name command to be executed\r\n\r\n25 10 * * mon root certbot renew --cert-name byleapsandbounds.net --force-renewal --post-hook \"systemctl reload nginx\"<\/pre>\n<p>After saving changes to the \/etc\/crontab file, reload it by restarting the service:<\/p>\n<pre>\/bin\/systemctl restart crond.service<\/pre>\n<h2>Remove certificates that you no longer need<\/h2>\n<p>Removing certificates from a system is as easy as running this command:<\/p>\n<pre>certbot delete --cert-name certificate-name.com<\/pre>\n<p>That&#8217;s it.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Who wants to issue certificates manually if they can take Letsencrypt&#8217;s Certbot to the task.<\/p>\n","protected":false},"author":1,"featured_media":2584,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[33,111,109,6],"tags":[217,118,114],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Letsencrypt tips and tricks - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Letsencrypt tips and tricks - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"Who wants to issue certificates manually if they can take Letsencrypt&#8217;s Certbot to the task.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-22T21:56:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-29T18:33:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2019\/07\/feather-3237961-1024x683.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2019\/07\/feather-3237961.jpg\",\"width\":6000,\"height\":4000,\"caption\":\"A seal like this one used to certify authenticity.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/\",\"name\":\"Letsencrypt tips and tricks - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/#primaryimage\"},\"datePublished\":\"2019-07-22T21:56:24+00:00\",\"dateModified\":\"2019-07-29T18:33:39+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/letsencrypt-tips-and-tricks\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2581"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=2581"}],"version-history":[{"count":12,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2581\/revisions"}],"predecessor-version":[{"id":2599,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2581\/revisions\/2599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/2584"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=2581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=2581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=2581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}