Auto-renewal of wildcard certificate - using Authenticator as Apache

My domain is: staging-smart.com.au

I have around 100+ websites running on my server. For eg:
abc.staging-smart.com.au
xyz.staging-smart.com.au
.
.
. and so on.

I want to issue wildcard certificate to the sites with auto-renewal in place.

Currently server is being already using Apache as Authenticator for cert renewal of some individual sites.
Can I use to issue wildcard certificate and auto-renewal?

Options used in the renewal process

[renewalparams]
account = xxxx
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

It produced this output:

My web server is (include version): Apache/2.4.46 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5

My hosting provider, if applicable, is: Route53

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

That is an old version of Certbot please see Certbot 2.3.0 Release

1 Like

No. The Apache authenticator uses HTTP-01 validation, and a wildcard cert requires that you use DNS validation. If you have a DNS host with a compatible API, you can still issue and automatically renew the cert, but it won't be done using the Apache authenticator.

5 Likes

When I try to upgrade with below command:
sudo apt install --only-upgrade certbot

certbot is already the newest version (0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3)

Probably due to not using snap and also an old Ubuntu

2 Likes

Thanks for clarifying.
As per your above comment, I won't be able to use Apache Authenticator.

I did some research for plugin native to aws, and I found that I can use certbot-dns-route53 plugin for DNS Validation.

So, now my question is - Is it ok, if I use certbot-dns-route53 plugin for wildcard certs?
considering the apache-authenticator plugin would still be there on server to serve existing sites.

Hope installing certbot-dns-route53 plugin won't impact the current confiugration.
Please confirm.

1 Like

It should be. It's pretty common to use different authenticators for different certificates.

4 Likes

snap comes by default with Ubuntu v14 and higher.

OK; but you use apt install not snap

1 Like

And this maybe of use Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation

1 Like

Thank you Bruce.
I am referred same document, but now while performing the testing it is giving me error:

Failed to renew certificate staging-smart.com.au-0001 with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

Failed to renew certificate staging-smart.com.au-0002 with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Service busy; retry later.

Failed to renew certificate staging-smart.com.au with error: <Response [503]>

Is it because of the on-going issue ?

1 Like

If you are using staging certificates, then yes.

For recommended installation instructions, see:

2 Likes

Why do these exist?:

Usually, anything "-000x" is an indication of some misunderstanding between the users' requested intention and certbot action taken.
Can we see?:
certbot certificates

2 Likes

I think I executed - certificate issue command & it generated this duplicate file.

Found the following certs:
  Certificate Name: staging-smart.com.au-0001
    Serial Number: xxxx
    Key Type: RSA
    Domains: staging-smart.com.au
    Expiry Date: 2023-05-05 05:08:41+00:00 (VALID: 63 days)
    Certificate Path: ../live/staging-smart.com.au-0001/fullchain.pem
    Private Key Path: ../live/staging-smart.com.au-0001/privkey.pem

  Certificate Name: staging-smart.com.au-0002
    Serial Number: xxxx
    Key Type: RSA
    Domains: *.staging-smart.com.au
    Expiry Date: 2023-04-24 02:33:50+00:00 (VALID: 52 days)
    Certificate Path: ../live/staging-smart.com.au-0002/fullchain.pem
    Private Key Path: ../live/staging-smart.com.au-0002/privkey.pem

  Certificate Name: staging-smart.com.au
    Serial Number: xxx
    Key Type: RSA
    Domains: staging-smart.com.au *.staging-smart.com.au
    Expiry Date: 2023-04-24 05:05:24+00:00 (VALID: 52 days)

I have pasted output above:

Although my aim is to issue wildcard cert for domain - *.staging-smart.com.au

Your ancient apt-installed Certbot version isn't very good in checking existing certificates and expanding a previously issued cert. It easily makes duplicates as shown already. Please see the Certbot instructions above by Rudy to upgrade your apt-installed Certbot to the most recent one using snap. See the "wildcard" tab after selecting your webserver and browser for the guide which includes installing the DNS plugin.

Then you could continu getting a wildcard certificate using the certbot-dns-route53 authenticator plugin. Note that you can combine an authenticator plugin with an installer plugin. E.g., you could run sudo certbot -a dns-route53 -i apache (and after that the rest of your command) to combine both plugins at the same time.

3 Likes

Thank you Osiris.

I will try to upgrade by certbot version.

But, how to manage these multiple conf files?
will it be deleted automatically when I try to issue certificate using upgraded certbot version.

3 Likes

Updated Certbot with
sudo apt upgrade command

By not editing the configuration files manually. Please see the Managing Certificates section of the Certbot documentation.

When upgrading to the latest Certbot version using snap, everything should be exactly the same as before, including the redundant certificates.

If you wish to get a wildcard certificate, my advice is to get one, preferably by overwriging an existing certificate, make sure all your webservers (and/or any other service using the certificates) are using that wildcard certificate and afterwards remove the certs that are not in used.

Please read the posts more carefully. Using apt is NOT how you update Certbot to the latest version using snap. Snap is a different method of installing applications and does not use apt (except maybe for snap itself? I dunno, I don't use snap.)

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.