Before I obtain an LE certificate for a new domain, I have to first set the domain up up in Apache in a .conf file, restart Apache, test that the domain is working (for a website), then issue the following command with Certbot:
Then I go back into the .conf file to add all the SSL lines needed for that domain, then restart Apache again.
Is there a way to bypass the first step and simply get a certificate for the domain without having to have the domain actually working on the server yet? Or are both steps required to get a certificate?
Thanks!
The operating system my web server runs on is (include version): CentOS 7.6
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
You can confirm the result with: certbot certificates
Yes, with DNS authentication.
You can even get a wildcard cert (which have no actual resolvable name nor IP).
You can also setup DNS to point to your server, NOT setup a conf to cover that name.
And assuming your web server will serve it from the default conf, you can use that as the authentication point for webroot.
I'm confused. Are you saying I can issue the exact same Certbot command shown in my original post for a domain even though it's not set up yet on our server or with Apache?
What is DNS authentication?
I'm not sure what you mean, is there an example of this you can point me to?
Yes, it should read 0.29.1, but the forum software won't allow me to edit my original post.
If you want to use http-01 - validation, you need a running webserver. But Certbot has an option to create a temporary webserver (if port 80 is free), so you don't need to configure an own webserver.
So you can use the --standalone option.
The dns-01 - validation doesn't use a webserver. Instead, you have to create a special dns txt entry
_acme-challenge.yourdomainname.com
with a special value. Then Letsencrypt checks if this txt entry exists.
But if you want to use (and automate) that, your dns provider should support an API.
I have my own web server and use BIND on that server for all DNS, but I have no idea if what you suggest about an API will work with this setup, although even if it did, I don’t think I’d be able to figure out how to set it up. This is all a bit over my head.
I guess I should just continue to do the two-step process I explained above.