Apache vs webroot vs manual


I have a circumstance where I am running apache on centos6 with several domains and sub-domains, including a couple multi-site wordpress installations. It should also be noted that my apache config files for each domain are stored in a custom directory that get’s included in the main httpd.conf file.

Most of the ssl needs for the server are covered with a commercial wildard certificate that we own. However, there are a few domains that are not covered by this wildcard certificate. Some of these are stand-alone sights with unique home dirs, and a couple are just aliases pointing to one of the wordpress multi-sites.

From reading the manual, it looks like I should probably run Certbot the first time, probably in webroot mode. The manually adjust my domain.conf files when that is run. Would I then be able to count on those issued certificates getting updated automatically with the details generated in /etc/letsencrypt/renewal/CERTNAME?

This seems sensible to me, but my only previous experience with Lets Encrypt is with a cPanel server, and it’s pretty foolproof on that platform.

I welcome any advice.

With a little trial and error, I’ve answered my own question. I’ll put that here in case it helps anyone else in the future.

Essentially, I ran the basic issuance once by hand with certonly and webroot arguments, and configured my domain.conf files once manually. I then tested a dry-run renewal, which reported all positive. I then setup a cron as referenced in the documentation, which ran successfully last night. Easy-peasy :slight_smile:

The initial run for each site

/root/scripts/certbot-auto certonly --webroot -w /home/domain/public_html -d domain.ca -d www.domain.ca

The dry run for renewal testing

/root/scripts/certbot-auto renew --dry-run

The cron entry to do updates at midnight

0 0 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /root/scripts/certbot-auto renew

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.