[forgotmypassw]

You can use the --standalone option to get just the certificate files, so you can keep your nginx config files as-is however you configured them and just update the privkey.pem and fullchain.pem files wherever your nginx config points to look for them. And the --standalone option actually requires sudo but I guess that's because it puts the certs in /etc/letsencrypt~.

Caution though, the file paths you get after obtaining the certificates are actually relative symlinks for some reason so if you just copy these symlinks over they will most likely not point to the correct path so copy the original files instead.

[acdha]

That's how it should work but even --standalone still inspects your web server config and will refuse to run if any part of that goes wrong. For example, if you have multiple Apache VirtualHosts in the same file[1] (e.g. a port 80 redirect to the HTTPS site in the same file) any attempt to renew a certificate will fail with an error.

1. https://github.com/certbot/certbot/issues/1042

[pfg]

--standalone won't inspect your web server configuration. Only the apache (and nginx, if you enabled it manually) plugin would do that.

[acdha]

At least for renewals, it does parse Apache config — I was unpleasantly surprised by that last week

[pfg]

My best guess is that you have previously issued a certificate using the apache plugin on that system, and the renewal config file for that certificate is still there.

  $ echo "BreakThisConfig" > /etc/apache2/sites-enabled/000-default.conf
  $ ./certbot-auto --apache
  2016-05-16 21:33:31,252:ERROR:certbot.le_util:Error while running apache2ctl configtest.
  Action 'configtest' failed.
  The Apache error log may have more information.
  $ ./certbot-auto certonly --standalone -d example.com
  - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem.
  $ ./certbot-auto renew --force-renewal
  Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)

[aprescott]

You don't need --standalone to get only certificate files, by the way. You can also use certonly with --webroot and it'll work just fine. The certonly is the key part.

One thing I hope they make a little clearer is how to delegate cipher suite selection to certbot. I saw some discussion about making options-ssl-nginx.conf use, say, one of Mozilla's server-side configurations (whichever one you've configured). That way you could include options-ssl-nginx.conf and it'd auto-update over time.

[orblivion]

So you're saying that this debian package changes your nginx files by default? Does it warn you at least? And how does that not require sudo?

In any case, thanks for the --standalone hint.