I have ~30 domains running on my server, all of them with SSL certificates managed by the Certbot nginx plugin. All of them, except one... let's call it selfsigned.example.com.
This domain uses a self-signed certificate because it's being accessed by an embedded device, for which I haven't managed to get a proper certificate chain to work. The embedded device checks the certificate fingerprint, so it's quite secure as long as I don't need revocation. But it's important that the cert on the server doesn't get replaced by Certbot, otherwise the device will refuse to connect.
I frequently add new domains to the configuration, and then I rerun certbot --nginx to generate a new certificate for them. But every time I do that, certbot prompts me:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: whatever.example.com
2: something.example.com
...
17: selfsigned.example.com
...
32: thelastone.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
If I just press Enter, Certbot will overwrite the ssl_certificate and ssl_certificate_key directives for selfsigned.example.com with a cert from Let's Encrypt. So I have to manually type out all numbers except 17 in this case.
As a cautious and lazy sysadmin, how can I make it so that I can just press Enter? Maybe there's some magic comment (similar to # managed by Certbot) that lets me say # Certbot ignore?
Indeed certbot's nginx configuration management is... not great. It makes a mess of your config whenever it decides to rewrite parts of it.
But: Let's Encrypt supports wildcard certificates. So I just created a wildcard cert for
example.com,*.example.comand manually configured it in nginx.