generated from bisco/codex-bootstrap
fix: replace staging certificate on production switch
This commit is contained in:
@@ -35,6 +35,21 @@ When Let's Encrypt is enabled, the proxy intentionally returns 503 for normal
|
||||
application paths until a certificate exists. ACME challenge paths and proxy health
|
||||
paths must still work in that pending state, otherwise Certbot will never start.
|
||||
|
||||
## Staging certificate remains after switching to production
|
||||
|
||||
Certbot does not replace a still-valid staging certificate just because
|
||||
`LETSENCRYPT_STAGING` changed. Recreate the Certbot container so it reads the updated
|
||||
environment:
|
||||
|
||||
```bash
|
||||
docker compose up -d --force-recreate certbot
|
||||
docker compose up -d proxy
|
||||
```
|
||||
|
||||
The entrypoint removes an existing staging certificate for `LETSENCRYPT_DOMAIN` before
|
||||
requesting the production certificate. If issuance fails, inspect `docker compose logs
|
||||
certbot proxy`, verify DNS and port 80, and avoid repeated production-CA retries.
|
||||
|
||||
## Bootstrap writes to the wrong data volume
|
||||
|
||||
Do not combine the test override with production bootstrap commands. This command writes
|
||||
|
||||
Reference in New Issue
Block a user