Automatically request Certificates for all VirtualHosts

mmpgc · December 10, 2020, 8:52pm

My domain is: Multiple domains
My web server is: Apache/2.4.46 (Ubuntu)
The operating system my web server runs on is: Ubuntu Bionic
I can login to a root shell on my machine : Yes
The version of my client is: certbot 0.31.0

My employer provides microsites to charities and I'm looking to automate certificate requests so emailing me stops being a bottleneck. We have automated processes that let the web designers provision new URLS as needed, but none of those processes run as root, and for sites where the client is mapping a subdomain of their site to our servers there's a delay between provisioning the site and getting a certificate through Let's Encrypt is possible.

I want to grab the list of all the virtual sites configured on the server and request certificates for all of them, skipping the ones that already have SSL. The requests will fall well within the Let's Encrypt weekly new certificate limits.

I was thinking of writing code to do the following:

Piping the results of sudo apachectl -S to a file
Parsing the file to build a list of all the URLS and their port number.
Remove the URLS that already have an SSL configuration
Call certbot for each of the remaining URLS to request a certificate.

I wanted to see if anything like that already existed before I dove in. My hope is there's something obvious I just don't know about yet.

danb35 · December 10, 2020, 9:16pm

Do you have to use Apache? Because this sounds like what Caddy's on-demand SSL was made for.

_az · December 10, 2020, 9:28pm

Besides solutions like Caddy and Traefik which can handle these kinds of situations admirably, there's also a pure Apache solution in mod_md.

I am guessing this involves programmatically generating your Apache configuration through some kind of templating?

With mod_md, you could simply add the new customer domain to the MDomain directive and reload Apache.

The good thing about this is that it's in-process and will deal with the entire certificate lifecycle for you. That is, it will gracefully handle retrying if the domains don't yet point to your server and it will renew certificates when necessary.

The bad thing about mod_md is the overall lack of prebuilt packages (as of today), so you'll have to compile the module from source. But I think it's a pretty small price to pay for being able to get something so seamless.

mmpgc · December 11, 2020, 1:13pm

Thank you. Compiling mod_md is likely to be a lot less work than the coding I was going to do otherwise.

system · January 10, 2021, 1:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.