The secret weapon I wish I had found earlier, here it is:
certbot --help all
Then the settings I was using...
certbot certonly --agree-tos --non-interactive --staging --text --allow-subset-of-names --rsa-key-size 4096 --email bradchesney79@gmail.com --webroot --webroot-path /var/www/html --domains "rustbeltrebellion.com, www.rustbeltrebellion.com"
certonly what it says on the tin, handles only requesting a new cert. No webserver configuration by certbot.
--agree-tos agrees to the terms of service on the command line instead of the GUI.
certbot certonly --agree-tos --non-interactive --staging --text --allow-subset-of-names --rsa-key-size 4096 --email bradchesney79@gmail.com --webroot --webroot-path /var/www/html --domains "rustbeltrebellion.com, www.rustbeltrebellion.com"
certonly what it says on the tin, handles only requesting a new cert. No webserver configuration by certbot.
--agree-tos agrees to the terms of service on the command line instead of the GUI.
--non-interactive tells certbot you're not there to interact.
--staging was put in to test everything would complete and certs would be somewhere under the /etc/letsencrypt directory... right or wrong. Remove it when you're ready to put rubber to the road.
--text makes certbot not use the ncurses text tool.
--allow-subset-of-names allows you to specify the cert cover more subdomains and domains without checking if those domains can be verified to be under your control.
--rsa-key-size lets you use a bigger key, like 4096 bits long.
--email so you can get expiration warnings and the like about your certs.
--webroot is the method of using an existing webroot for certbot to use to verify that you are in control of one or more of the domains listed.
--webroot-path the actual location of the webroot for certbot to put its files in.
--webroot-path the actual location of the webroot for certbot to put its files in.
--domains is the quoted comma separated list of hosts you want the cert to cover since you can specify more than one.
There is a little bit of nginx config that makes this all work better. We can logically assign the URL Let's Encrypt will try to access to be the actual webroot. We are doing this because we put the challenge in the actual webroot as you can see in our certbot command above-- having an actual .well-known/acme-challenge path is unnecessary and lacks elegance.
location /.well-known/acme-challenge/ {
root /var/www/html;
try_files $uri =404;
}
root /var/www/html;
try_files $uri =404;
}
