Auto-renewal of wildcard certificate - using Authenticator as Apache

saurabh.nikam07 · March 2, 2023, 3:20pm

My domain is: staging-smart.com.au

I have around 100+ websites running on my server. For eg:
abc.staging-smart.com.au
xyz.staging-smart.com.au
.
.
. and so on.

I want to issue wildcard certificate to the sites with auto-renewal in place.

Currently server is being already using Apache as Authenticator for cert renewal of some individual sites.
Can I use to issue wildcard certificate and auto-renewal?

Options used in the renewal process

[renewalparams]
account = xxxx
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

It produced this output:

My web server is (include version): Apache/2.4.46 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5

My hosting provider, if applicable, is: Route53

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Bruce5051 · March 2, 2023, 3:37pm

That is an old version of Certbot please see Certbot 2.3.0 Release

danb35 · March 2, 2023, 3:41pm

No. The Apache authenticator uses HTTP-01 validation, and a wildcard cert requires that you use DNS validation. If you have a DNS host with a compatible API, you can still issue and automatically renew the cert, but it won't be done using the Apache authenticator.

saurabh.nikam07 · March 2, 2023, 3:42pm

When I try to upgrade with below command:
sudo apt install --only-upgrade certbot

certbot is already the newest version (0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3)

Bruce5051 · March 2, 2023, 3:44pm

Probably due to not using snap and also an old Ubuntu

saurabh.nikam07 · March 2, 2023, 3:47pm

Thanks for clarifying.
As per your above comment, I won't be able to use Apache Authenticator.

I did some research for plugin native to aws, and I found that I can use certbot-dns-route53 plugin for DNS Validation.

So, now my question is - Is it ok, if I use certbot-dns-route53 plugin for wildcard certs?
considering the apache-authenticator plugin would still be there on server to serve existing sites.

Hope installing certbot-dns-route53 plugin won't impact the current confiugration.
Please confirm.

danb35 · March 2, 2023, 3:48pm

It should be. It's pretty common to use different authenticators for different certificates.

saurabh.nikam07 · March 2, 2023, 3:50pm

snap comes by default with Ubuntu v14 and higher.

Bruce5051 · March 2, 2023, 3:52pm

OK; but you use apt install not snap

Bruce5051 · March 2, 2023, 3:54pm

And this maybe of use Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation

saurabh.nikam07 · March 2, 2023, 4:11pm

Thank you Bruce.
I am referred same document, but now while performing the testing it is giving me error:

Failed to renew certificate staging-smart.com.au-0001 with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

Failed to renew certificate staging-smart.com.au-0002 with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

Failed to renew certificate staging-smart.com.au with error: <Response [503]>

Is it because of the on-going issue ?

rg305 · March 2, 2023, 4:19pm

If you are using staging certificates, then yes.

For recommended installation instructions, see:

rg305 · March 2, 2023, 4:22pm

Why do these exist?:

Usually, anything "-000x" is an indication of some misunderstanding between the users' requested intention and certbot action taken.
Can we see?:
certbot certificates

saurabh.nikam07 · March 2, 2023, 4:39pm

I think I executed - certificate issue command & it generated this duplicate file.

Found the following certs:
  Certificate Name: staging-smart.com.au-0001
    Serial Number: xxxx
    Key Type: RSA
    Domains: staging-smart.com.au
    Expiry Date: 2023-05-05 05:08:41+00:00 (VALID: 63 days)
    Certificate Path: ../live/staging-smart.com.au-0001/fullchain.pem
    Private Key Path: ../live/staging-smart.com.au-0001/privkey.pem

  Certificate Name: staging-smart.com.au-0002
    Serial Number: xxxx
    Key Type: RSA
    Domains: *.staging-smart.com.au
    Expiry Date: 2023-04-24 02:33:50+00:00 (VALID: 52 days)
    Certificate Path: ../live/staging-smart.com.au-0002/fullchain.pem
    Private Key Path: ../live/staging-smart.com.au-0002/privkey.pem

  Certificate Name: staging-smart.com.au
    Serial Number: xxx
    Key Type: RSA
    Domains: staging-smart.com.au *.staging-smart.com.au
    Expiry Date: 2023-04-24 05:05:24+00:00 (VALID: 52 days)

saurabh.nikam07 · March 2, 2023, 4:47pm

I have pasted output above:

Although my aim is to issue wildcard cert for domain - *.staging-smart.com.au

Osiris · March 2, 2023, 5:06pm

Your ancient apt-installed Certbot version isn't very good in checking existing certificates and expanding a previously issued cert. It easily makes duplicates as shown already. Please see the Certbot instructions above by Rudy to upgrade your apt-installed Certbot to the most recent one using snap. See the "wildcard" tab after selecting your webserver and browser for the guide which includes installing the DNS plugin.

Then you could continu getting a wildcard certificate using the certbot-dns-route53 authenticator plugin. Note that you can combine an authenticator plugin with an installer plugin. E.g., you could run sudo certbot -a dns-route53 -i apache (and after that the rest of your command) to combine both plugins at the same time.

saurabh.nikam07 · March 2, 2023, 5:42pm

Thank you Osiris.

I will try to upgrade by certbot version.

But, how to manage these multiple conf files?
will it be deleted automatically when I try to issue certificate using upgraded certbot version.

saurabh.nikam07 · March 2, 2023, 5:56pm

Updated Certbot with
sudo apt upgrade command

Osiris · March 2, 2023, 5:57pm

By not editing the configuration files manually. Please see the Managing Certificates section of the Certbot documentation.

When upgrading to the latest Certbot version using snap, everything should be exactly the same as before, including the redundant certificates.

If you wish to get a wildcard certificate, my advice is to get one, preferably by overwriging an existing certificate, make sure all your webservers (and/or any other service using the certificates) are using that wildcard certificate and afterwards remove the certs that are not in used.

Please read the posts more carefully. Using apt is NOT how you update Certbot to the latest version using snap. Snap is a different method of installing applications and does not use apt (except maybe for snap itself? I dunno, I don't use snap.)

system · April 1, 2023, 5:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No authenticators working besides manual Server	8	898	October 16, 2018
Renew wildcard certificate with Apache Help	2	1869	July 30, 2018
Unable to Auto Renew a wildcard certificate Help	6	1322	June 13, 2023
How to setup automatic renewal for wildcard certificate using certbot Help	4	10952	June 14, 2018
Can't use webroot authenticator needed for wildcard domain Help	10	2607	July 19, 2018

Auto-renewal of wildcard certificate - using Authenticator as Apache

Options used in the renewal process

Related topics