nginx and certbot but without a working plugin


  • Mon 14 December 2020
  • misc

ClueTrust doesn't run certbot as a general rule (I've written about why in the past) but sometimes it is necessary to run it in an unusual application that is not part of our ordinary automation stack.

Certbot has a plugin that works with nginx, but what if you're in a situation where for whatever reason you can't make the plugin work?

It turns out that this isn't terribly hard. You can have nginx act as a passthrough (reverse proxy) and run certbot on an alternate port.

For your nginx.conf (put it right under the "location /" definition in the "server" stanza for port 80):

        location '/.well-known/acme-challenge' {
                proxy_pass http://127.0.0.1:8080/.well-known/acme-challenge;
                proxy_http_version 1.1;
                proxy_set_header Host $host;
        }

Then you can run this on the command line:

certbot certonly --http-01-port 8080 -n --agree-tos --email you@example.org --test-cert --standalone -d testserver.example.org

(with of course your own domain name and email layered in).

Once you've got that working right, you can strip out "--test-cert" and add "--force-renewal" and run it again to get the real certs. In normal service of course you won't be running --force-renewal and will instead let certbot decide if the certificate has fewer than 30 days left before it needs a renewal.

Note that if you're writing a script around this, certbot returns an exit value of 0 whenever it runs successfully. Success means "no error", it is indifferent to whether a cert got renewed or not.

If you're looking to see whether the cert changed or not, you might want to consider running something like:

openssl x509 -noout -enddate < /opt/local/etc/letsencrypt/live/testserver.example.org/cert.pem 

both before and after certbot and see if anything changed.