First we need to install certbot utility:
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx
After that, we can easily generate SSL certificates for all the domains listed in Nginx ‘server_name’ attributes in alive (working) virtual hosts. The examples are:
certbot --nginx certonly -d slogpost.ru -d www.slogpost.ru
certbot --nginx certonly -d psiholog-s-vami.ru -d www.psiholog-s-vami.ru
certbot certonly --nginx --cert-name sharlines.com -d sharlines.com -d www.sharlines.com
certbot certonly --nginx --cert-name developernote.com -d developernote.com -d www.developernote.com -d herb.developernote.com -d mastermag.developernote.com -d geographx.developernote.com -d geographx.net -d www.geographx.net -d xn--80acc2atiigge7h.xn--p1ai -d www.xn--80acc2atiigge7h.xn--p1ai -d git.developernote.com -d gitweb.developernote.com
(do not forget to run the commands above each time you add or remove a subdomain)
We cannot use wildcard domains line *.developernote.com with Let’s Encrypt, so we should list all the subdomains. And I do not see anything wrong in combining multiple domains in a single certificate.
To remove the certificate we do something like this:
certbot revoke --cert-path /etc/letsencrypt/live/developernote.com/fullchain.pem
certbot delete --cert-name developernote.com
Updating all the generated certificates:
certbot renew
After changing the website URL from HTTP to HTTPS, probably it makes a sense to update all the hyperlinks in MySQL database:
show tables;
show columns from wp_posts;
SELECT ID, post_title, post_date, post_name FROM wp_posts WHERE INSTR(post_content, 'http://slogpost.ru') <> 0;
UPDATE wp_posts SET post_content=REPLACE(post_content, 'http://slogpost.ru', 'https://slogpost.ru') WHERE INSTR(post_content, 'http://slogpost.ru') <> 0;
UPDATE wp_posts SET post_content=REPLACE(post_content, 'http://developernote.com', 'https://developernote.com') WHERE INSTR(post_content, 'http://developernote.com') <> 0;
The final step is adding certbot-renew.sh file to /etc/cron.monthly with the following content:
certbot renew
service squid reload
It seems like the service … command is completely ignored. Nothing in syslog, nothing in nginx logs. I switched to using
certbot renew
systemctl reload squid
instead, and this seems to work.