4

I have ~30 domains running on my server, all of them with SSL certificates managed by the Certbot nginx plugin. All of them, except one... let's call it selfsigned.example.com.

This domain uses a self-signed certificate because it's being accessed by an embedded device, for which I haven't managed to get a proper certificate chain to work. The embedded device checks the certificate fingerprint, so it's quite secure as long as I don't need revocation. But it's important that the cert on the server doesn't get replaced by Certbot, otherwise the device will refuse to connect.

I frequently add new domains to the configuration, and then I rerun certbot --nginx to generate a new certificate for them. But every time I do that, certbot prompts me:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: whatever.example.com
2: something.example.com
...
17: selfsigned.example.com
...
32: thelastone.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

If I just press Enter, Certbot will overwrite the ssl_certificate and ssl_certificate_key directives for selfsigned.example.com with a cert from Let's Encrypt. So I have to manually type out all numbers except 17 in this case.

As a cautious and lazy sysadmin, how can I make it so that I can just press Enter? Maybe there's some magic comment (similar to # managed by Certbot) that lets me say # Certbot ignore?

Thomas
  • 811
  • 1
  • 9
  • 18
  • I neither use nor recommend the certbot nginx plugin. The configuration it writes isn't very good. And of course it doesn't seem to work very well for your use case. See [here](https://serverfault.com/a/896555/126632) for my sample configuration. – Michael Hampton Jan 27 '19 at 16:22
  • @MichaelHampton The thought hadn't even occurred to me. Does your certbot still _parse_ the list of domains from your nginx config, or do you have to maintain that list in two places? – Thomas Jan 28 '19 at 10:33
  • No, I specify the domains on the command line. This is only an issue when initially getting certificates; of course it remembers them for renewals. And of course you can automate the initial bit too, in your configuration management or even a shell script. – Michael Hampton Jan 28 '19 at 15:14
  • without changing to a different certificate manager, and assuming certbot does not have the capability you want, why not store a csv containing all servers except #17 and copy paste. – Timmy Browne Jan 30 '19 at 23:28
  • @TimmyBrowne Because the numbers may change as I add/remove domains. I think certbot orders them alphabetically. – Thomas Jan 31 '19 at 09:02

1 Answers1

0

Indeed certbot's nginx configuration management is... not great. It makes a mess of your config whenever it decides to rewrite parts of it.

But: Let's Encrypt supports wildcard certificates. So I just created a wildcard cert for example.com,*.example.com and manually configured it in nginx.

Thomas
  • 811
  • 1
  • 9
  • 18