Cerbot and Subdomains

pmvw-alaskapublic · January 5, 2021, 5:15pm

My domains are: alaskapublic.org / kakm.org / aprn.org / kska.org

I'm on an Ubuntu (18.04.5) server in AWS. I only have SSH access to deal with this issue, so no control panel to work with. We're running apache2 version 2.4.29 and
certbot version 1.10.1

I'm working on making our SSL Certs correct.

Currently we have certs issued for:
alaskapublic.org
www.alaskapublic.org
media.aprn.org
media.kakm.org
media.kska.org

HOWEVER...
The certs really should be more like:
*.alaskapublic.org alias www.alaskapublic.org
*.aprn.org alias media.aprn.org
*.kakm.org alias media.kakm.org

The question is...
Should I revoke and delete the existing certificates with certbot and let it re-create the certs based off of the Apache2 conf? Or is there a better way to do this without causing significant downtime for the sites?

Thanks.
Piet

jvanasco · January 5, 2021, 5:39pm

Since you seem to know what you're doing with Apache configs...

I would generate new certificates and code them into Apache as you wish -- then use a post-hook to restart apache on the renewals.

Because you want wildcards, you'll need to use DNS-01 challenge. I strongly recommend installing acme-dns (https://github.com/joohoi/acme-dns) to handle those challenges.

JuergenAuer · January 5, 2021, 5:59pm

Hi @pmvw-alaskapublic

that's not possible.

*.alaskapublic.org includes www.alaskapublic.org, so you can't create a certificate with a wildcard and a subdomain covered by the wildcard.

dns validation is much more critical, your dns provider must support an API. http validation works with every webserver -> preferred.

That's always wrong. Read the basics about rate limits. If you need really a new certificate, create the new and store the old, so you can use it as backup.

jvanasco · January 5, 2021, 6:45pm

I read their comment as replacing the subdomain with a wildcard, not extending it. In Apache, the directive for mapping the host to the virtualhost is ServerAlias

e.g.

<VirtualHost *:80>
  ServerName server.example.com
  ServerAlias server server2.example.com server2
  ServerAlias *.example.com

pmvw-alaskapublic · January 5, 2021, 7:37pm

Thanks for all the quick replies.

@JuergenAuer Love your response sir. I mis-typed what I meant, but the gyst is still the same. Yes, I'm planning on using the wildcard to replace the subdomain certs. (sigh why would someone NOT do that to begin with) Yeah, the DNS issue is going to be a bigger issue. I'll have to work that one through.

@jvanasco
I might have to use the acme-dns since we have GoDaddy for our primary DNS servers.

Yet, before I do that... I was looking at this:

Which might provide the go-between Let's Encrypt and GoDaddy

jvanasco · January 5, 2021, 7:55pm

That is fine if you plan on running it locally and uploading the certificates. The problem with using API tokens with most vendors, I am unsure of GoDaddy is the API Tokens are typically not fine-grained with Permissions -- so if your server is compromised, the attackers can control much of the vendor account with the API tokens. See this article:

With acme-dns, you delegate the _acme-challenge records on your vendor's DNS to a specific acme-dns server, which only handles the acme-challenge records. if the server becomes compromised, the compromised api tokens are (ideally) limited to acme-dns.