Hi,
It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to write another blog post. So, here I am.
My 6.5 server have Let's Encrypt certificate which I have multiple subdomains in it. This OpenBSD system have Nginx which act as a HTTPS reverse proxy to Docker host backend.
[Router] <--https--> [OpenBSD] <--http--> [Docker]
For this example I'm replacing the subdomains with generic names. First, I check my existing SSL certificate.
$ doas certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: domain.my
Domains: domain.my www.domain.my 123.domain.my 456.domain.my
Expiry Date: 2019-12-11 09:35:47+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/domain.my/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.my/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Great. I still have a valid certificate. What I'm planning to do is to remove these subdomains:
1) 123.domain.my
2) 456.domain.my
Then add 2 new subdomains:
1) abc.domain.my
2) def.domain.my
As I'm using Nginx to serve the certificate, I stopped my Nginx, preparing for the certificate modification.
$ doas rcctl stop nginx
Then I proceed to request for certificate modification using certbot. Take note the value of the previous "Certificate Name" as it's needed to properly modify existing cert.
$ doas certbot certonly --cert-name domain.my -d domain.my,www.domain.my,abd.domain.my,def.domain.my
After I run the command, the prompt to select the option I can use to authenticate my server. For this one, I opted to spin up temporary standalone webserver (option 1)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Next certbot is showing me the changes that will be made. I then choose "U" to update the cert.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate domain.my to include new domain(s):
+ abc.domain.my
+ def.domain.my
You are also removing previously included domain(s):
- 123.domain.my
- 456.domain.my
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.my/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.my/privkey.pem
Your cert will expire on 2020-02-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
And it's done! So easy. Take note that I did not use " --expand " on the command.
If you did not include " --cert-name CERT_NAME" in your command, certbot will create another certificate and you might get additional certificate name with "-0001". Such as "domain.my-0001" and you will end up with 2 separate certificate instead.
That's all. Until next post!
Ref: https://certbot.eff.org/docs/using.html#renewing-certificates
