fix: replace staging certificate on production switch

This commit is contained in:
bisco
2026-06-25 12:39:43 +02:00
parent 5bdf628a2e
commit a835900418
4 changed files with 42 additions and 4 deletions
+17 -2
View File
@@ -109,12 +109,18 @@ Use this checklist for the first run of a new environment.
LETSENCRYPT_STAGING=0
```
Then restart the affected services:
Then recreate Certbot so it sees the new environment and restart the proxy:
```bash
docker compose up -d proxy certbot
docker compose up -d --force-recreate certbot
docker compose up -d proxy
```
If a staging certificate already exists, the Certbot entrypoint removes only that
staging certificate before requesting the production one. During the replacement
window, NGINX may briefly return `503` for application traffic and will recover as
soon as the production certificate is issued.
7. Final sanity checks:
```bash
@@ -181,6 +187,15 @@ TRUST_PROXY_HEADERS=0
Before the first certificate exists, NGINX serves ACME challenges and returns 503 for
application traffic. After issuance, HTTP redirects to HTTPS automatically.
After validating the staging certificate flow, set `LETSENCRYPT_STAGING=0` and recreate
the Certbot container. Existing staging certificates are removed automatically before a
production certificate is requested:
```bash
docker compose up -d --force-recreate certbot
docker compose up -d proxy
```
Run the real bootstrap without the test override:
```bash