So it looks like it’s just updating one. In /var/log/letsencrypt/letsencrypt.log I see that cerbot runs only for domain1.com.
BTW, In “Server Certificate”, I have all the let’s encrypt certs, properly assigned to all Virtual Hosts. Firefox says the certificates are the right ones. In “Virtual Hosts”, the proper (let’s encrypt) certificate are chosen.
Is there any other configuration I have to do to update them?
Thanks for all your support and for making nethserver.
Do your Virtual Hosts use a different certificate than the main server cert? And if so, why?
If HTTPS works on the virtual hosts, and you haven’t configured separate certificates for them, you can safely conclude that the main server cert covers them as well. If you want to confirm that, run certbot certificates and see what it says.
Hmmm… I installed different certificates for different virtualhosts, because they are different clients or webpages. It makes sense to make one cert per vitualhost. Do you think it’s better to make one big certificate with all the fqdns and use it for all virtualhosts? Why?
It’s certainly simpler. One cert for everything, Neth renews it automatically, you’re good. It’s what I do, FWIW, but I’m not hosting for anyone but myself. The only real downside I see is that if a visitor to site1 actually views the certificate, they’ll see that it also covers site2 and site3. That doesn’t hurt anything, particularly, but it may expose information you don’t want to expose.
Now, if you wanted to use a EV cert for one of the virtual hosts, that would be a different issue–but the value of EV certs is highly questionable in any event.
Thanks. I read it. That blog entry describes how to install and configure let’s encrypt in CentOS 6 and 7, but it doesn’t say anything about doing it with Nethserver’s infrastructure (for example, about /usr/libexec/nethserver/letsencrypt-certs ). I think I have the idea of how to do it manually. What’s the best way to do it with Nethserver?
The only real issue is that management (adding or removing hostnames to/from the cert) is a little cumbersome with either the Neth server manager or certbot at the command line. If I use the server manager, I have to enter every hostname I want. If I use certbot, I need to feed it -d flags with every hostname I want. It seems you should be able to do something like certbot expand --cert-name foo.bar.baz -d new.hostname.tld and have new.hostname.tld added to the other FQDNs already on the cert–but it doesn’t work that way.
You can reduce the size of the cert by using wildcards, but those require DNS validation, which Neth doesn’t support through the GUI.
Thank you @m.traeumner . I think I found what I was looking for: there’s a systemd certbot-renew service that should renew all of them, and it seems enabled. I’m waiting for the certificates to be 61 days old, to see if they get updated by it. I’ll post my results for future references if it works.