generated from bisco/codex-bootstrap
fix: replace staging certificate on production switch
This commit is contained in:
@@ -109,12 +109,18 @@ Use this checklist for the first run of a new environment.
|
||||
LETSENCRYPT_STAGING=0
|
||||
```
|
||||
|
||||
Then restart the affected services:
|
||||
Then recreate Certbot so it sees the new environment and restart the proxy:
|
||||
|
||||
```bash
|
||||
docker compose up -d proxy certbot
|
||||
docker compose up -d --force-recreate certbot
|
||||
docker compose up -d proxy
|
||||
```
|
||||
|
||||
If a staging certificate already exists, the Certbot entrypoint removes only that
|
||||
staging certificate before requesting the production one. During the replacement
|
||||
window, NGINX may briefly return `503` for application traffic and will recover as
|
||||
soon as the production certificate is issued.
|
||||
|
||||
7. Final sanity checks:
|
||||
|
||||
```bash
|
||||
@@ -181,6 +187,15 @@ TRUST_PROXY_HEADERS=0
|
||||
Before the first certificate exists, NGINX serves ACME challenges and returns 503 for
|
||||
application traffic. After issuance, HTTP redirects to HTTPS automatically.
|
||||
|
||||
After validating the staging certificate flow, set `LETSENCRYPT_STAGING=0` and recreate
|
||||
the Certbot container. Existing staging certificates are removed automatically before a
|
||||
production certificate is requested:
|
||||
|
||||
```bash
|
||||
docker compose up -d --force-recreate certbot
|
||||
docker compose up -d proxy
|
||||
```
|
||||
|
||||
Run the real bootstrap without the test override:
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user