Thursday, May 24, 2018

Renewing a reverse proxy cert with certbot

Renewing a cert on a loadbalancer with certbot is fairly easy, but there is a minor trick to it.  Since your reverse proxy is not hosting any website, and instead proxying all requests, certbot is unable to post the verification key file on the server.

To get around this, shutdown the reverse proxy server temporarily and have certbot run as a standalone server in order to facilitate the authentication:

# certbot renew --standalone

This allows certbot to run its own server on port 80,443 while it authenticates and shuts down immediately once its done.  You can then restart your own reverse proxy server.