Certbot --help incomprehensible

Not sure, honestly. With my mail I have both with two different ports. If it's a a webmail access then the port 443 SSL will be important.

1 Like

You're suggesting to use the apache plugin, also as installer plugin, so yes, it looks for an Apache virtualhost. An option to prevent this might be by using -a apache in stead of --apache. I think this would result in certbot choosing the "null" installer plugin, which of course wouldn't try to install anything.

Users shouldn't run a command a second time if it succeeded previously anyway.. Also, without --keep the user would have to purposely choose to issue a new cert again in stead of reinstalling it.
You can only prevent users doing stupid things that much by adding more and more options.. In the end they'll always find a way to mess things up. I'm personally enclined not to "pamper" the users too much :wink:

Not a clue, I mainly got the idea @davekimble2 came here to complain about the --help output..

3 Likes

In all fairness that is a valid complaint.

2 Likes

Do children in Holland not run into the street? :wink:

With --keep the user can't choose to issue a duplicate certificate. That's the whole point. I don't believe they're given the option. I may be wrong. It's a "latch" in my world.

2 Likes

Survival of the "fittest" - the ones that did took that trait to the grave - LOL

2 Likes

Not a clue, I'm not from Holland :wink: :crazy_face:

They are:

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/le-test-01.example.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

This was with .. run .. --cert-name .. -a apache -i null ...

And the choices for when using certonly:

1: Keep the existing certificate for now
2: Renew & replace the cert (may be subject to CA rate limits)
3 Likes

Did you include --keep? I'm curious what options (if any) are offered once you have a certificate and use --keep.

2 Likes

Sorry. My American naivety of world geography bit me. I should have said "The Netherlands". :slightly_smiling_face:

3 Likes

As said, --keep does have a function when there already exists the same cert and will prevent this question. I was merely trying to show you that even if a user runs a command without --keep twice, it wouldn't just magically issue a new cert without the user explicitely telling certbot to do so. It even clearly states possible consequences (rate limits).

3 Likes

I just wanted to take away the rope to prevent self-hanging. Why offer people an option with absolutely no beneficial outcome?

2 Likes

Like I said, I'm just not an advocate of adding more and more command line options to prevent from users potentially doing a stupid thing. I'd like to advocate for users to understand what they are doing. I strongly believe people should never undertake any action they don't (fully) understand. Whether that's a choice made in an application of adding any option to the command line.

3 Likes

Like doing their taxes? Signing a mortgage? I wish I fully understood everything before undertaking it. I just don't think I'll live that long. :pensive:

I agree about not adding more command line options. That's why I've advocated for making --keep the default behavior, only to be overridden by an-option-that-shall-remain-unnamed. :wink:

3 Likes

sudo apachectl =S

VirtualHost configuration:
*:80                   mail.davekimble.net (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

SMTP only

It occurs to me that although certbot is setting up a new Apache2 configuration on my development server, my router is still directing all port 80 traffic to the production server.
/etc/apache2/sites-enabled/000-default.conf (which the only one in there) has:

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

but /var/www/html/ only has an index.htm in it.

I have used https://sslforfree.com many times in the past. Last time I tried it it was in some kind of transition, but now it is working to generate ZeroSSL certificates, which are not free.

3 Likes

If you will be using HTTP authentication, then you will have to choose from:

  • run certbot on the production system
    then copy the cert to the dev system
  • add a proxy to the production system so that the development system can hear the HTTP challenge requests and run certbot on dev
  • configure the router to send port 80 to the development system (and run certbot there)
  • configure the router to send port 80 to the development system (and run certbot there) and add a proxy to the dev system so that it only handles the challenge requests locally and forwards all other HTTP requests to the production system (presuming the production system needs some HTTP connections)
3 Likes

@davekimble2

I am curious:
Does the "dev system" have a FQDN?

Will the "dev system" evolve into a production system or will it be migrated to the existing production system?

2 Likes

Does the "dev system" have a FQDN?

Yes - mail.davekimble.net
My mailserver system is evolving and has reached a stage where sometimes it has port 25 open, which is a potentially risky situation. Advice on what kind of attacks to expect would be welcome.

2 Likes

Why?

I'm not sure if that question is suitable for this Community. It's mainly meant for helping others with getting and/or installing a LE cert. Don't be surprised if you won't get an answer on this question.

2 Likes

Into what?
A real mail server?

Isn't that what a mail server does?

If it responds to a port, expect that it will be scanned, pried, tested, attacked, etc.
As is the case with every open IP:port on the Internet.

2 Likes

Blockquote
g305

3h

Into what?
A real mail server?

Isn't that what a mail server does?

If it responds to a port, expect that it will be scanned, pried, tested, attacked, etc.
As is the case with every open IP:port on the Internet.
g305

The system is intended to work for 1 email address with Thunderbird on the LAN. It has 3 components, SMTP on :587, POP3 on :110 and MTA on :25. Developing software with :25 open to the WAN exposes it to scanning, spamming and attacks, so the MTA component is not always enabled/active. I agree that my question about what kind of attacks is not relevant to this forum, but if anyone has advice on which kind of attacks, it would be welcome.

It is written in PHP and all 3 components need about 400 lines of code, which is less than the poorly documented steering lines in Postfix's main.cf .

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.