如何使用 certbot 只更新一个域名?

我有多个域名和多个证书:

$ ll /etc/letsencrypt/live/
> domain1.com
> domain2.com
> domain3.com
> ...

我只需要更新 domain1.com,但命令 certbot renew更新所有域的证书。如何明确续期某些证书?

196882 次浏览
小开
最佳答案

You can use this command (for Apache server):

certbot --apache certonly -n -d domain1.com
  • --apache for apache server, use --nginx flag for nginx server
  • -n option execute the command without prompt
  • -d domain1.com to execute only for domain1.com

You can test with --dry-run, and you can use --pre-hook and --post-hook like with certbot renew

Source : https://certbot.eff.org/docs/using.html#renewing-certificates

小开

Renew a single certificate using renew with the --cert-name option.

(certonly creates a certificate for one or more domains, replacing it if exists).

Example

certbot renew --cert-name domain1.com --dry-run

Remove --dry-run to actually renew.

Cert-name != Domain name

Note that the value supplied to --cert-name option is a certificate name (not a domain name) found using

certbot certificates

Returning a list like

-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: myfundomains.com
Domains: myfundomains.com
Expiry Date: 2018-05-04 04:28:05+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/myfundomains.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myfundomains.com/privkey.pem
Certificate Name: ask.myfundomain.com
Domains: ask.myfundomain.com
Expiry Date: 2018-03-13 18:59:40+00:00 (VALID: 16 days)
Certificate Path: /etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ask.myfundomain.com/privkey.pem
Certificate Name: forums.myfundomain.com
Domains: forums.myfundomain.com forum.myfundomain.com
Expiry Date: 2018-04-11 16:39:18+00:00 (VALID: 45 days)
Certificate Path: /etc/letsencrypt/live/forums.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/forums.myfundomain.com/privkey.pem
-------------------------------------------------------------------------------

Notice how the third Certificate name (forums.myfundomain.com) contains multiple domains:

  • forums.myfundomains.com
  • forum.myfundomains.com

Restart Apache / nginx

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
-------------------------------------------------------------------------------

Remember to restart your webserver to make use of the new certificate.

小开

You can use this command on Nginx server

  1. Stop Nginx server

    sudo systemctl stop nginx

  2. Renew certbot

    sudo certbot certonly --force-renew -d domain1.com

  3. Start Nginx server

    sudo systemctl start nginx

  4. Check current certs

    sudo certbot certificates

Results:

Found the following certs: Certificate Name: domain1.com Serial Number: 4564f55f3fe993964f8bbc65249a7ed4c91 Key Type: RSA Domains: domain1.com Expiry Date: 2022-12-19 01:34:25+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem


提交答案