▲ | chrismorgan 2 days ago | |||||||||||||||||||
Sounds like you’re doing it wrong. I don’t know about this native support, but I’d be very surprised if it was worse than the old way, which could just have Certbot put files in a path NGINX was already serving (webroot method), and then when new certificates are done send a signal for NGINX to reload its config. There should never be any downtime. | ||||||||||||||||||||
▲ | kijin 2 days ago | parent [-] | |||||||||||||||||||
Certbot has a "standalone" mode that occupies port 80 and serves /.well-known/ by itself. Whoever first recommended using that mode in anything other than some sort of emergency situation needs to be given a firm kick in the butt. Certbot also has a mode that mangles your apache or nginx config files in an attempt to wire up certificates to your virtual hosts. Whoever wrote the nginx integration also needs a butt kick, it's terrible. I've helped a number of people fix their broken servers after certbot mangled their config files. Just because you're on a crusade to encrypt the web doesn't give you a right to mess with other programs' config files, that's not how Unix works! | ||||||||||||||||||||
|