Build Certificates

Build Certicates for nginx

sudo cerbot --nginx  -d baizabal.xyz,www.baizabal.xy

Add subdomain or Domain

sudo  certbot --expand --nginx -d baizabal.xzy,www.baizabal.xyz,api.baizabal.xyz
last example
1
sudo  certbot --expand --nginx -d api.baizabal.xyz,baizabal.xyz,cloud.baizabal.xyz,git.baizabal.xyz,music.baizabal.xyz,office.baizabal.xyz,time.baizabal.xyz,video.baizabal.xyz,voip.baizabal.xyz,www.baizabal.xyz,metrics.baizabal.xyz,blog.baizabal.xyz

List Certificates

sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: baizabal.xyz
    Serial Number: 4e1160984b56acb967608c92135578ea1cf
    Key Type: RSA
    Domains: baizabal.xyz api.baizabal.xyz cloud.baizabal.xyz git.baizabal.xyz music.baizabal.xyz office.baizabal.xyz time.baizabal.xyz video.baizabal.xyz voip.baizabal.xyz www.baizabal.xyz
    Expiry Date: 2024-11-23 21:39:39+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/baizabal.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/baizabal.xyz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Remove Certicate

sudo certbot delete --cert-name baizabal.xy

Overlaping -0001

There is a problem when overlap certications build’s cerbot make an renew under new directory with -000? postfix

to avoid this beahavior use expand switch when you need to add a new subdomain or even a domain

this happen when you achieve cerbot -d domain.com,my.domain.com and before that cerbot -d domain.com, app.domain.com then you have a new directory under live folder domain-0001/ and domain.com in both you have 2 certificates domain.com

Renew Certificate

For test if all its ok

certbot renew --dry-run --nginx

for renew

certbot renew  --nginx

Permissions

the containing directories are created with permissions of 0700 meaning that certificates are accessible only to servers that run as the root user. If you will never downgrade to an older version of Certbot, then you can safely fix this using chmod 0755 /etc/letsencrypt/{live,archive}.

For servers that drop root privileges before attempting to read the private key file, you will also need to use chgrp and chmod 0640 to allow the server to read /etc/letsencrypt/live/$domain/privkey.pem.

Last update: Nov 20, 2024