Certbot keeps asking for Virtualhost

Help
1

My domain is:
.sjuharadtradservice.se,sjuharadtradservice.se,.7htradservice.se,7htradservice.se

I ran this command:
certbot --manual -d "*.sjuharadtradservice.se,sjuharadtradservice.se,*.7htradservice.se,7htradservice.se" --preferred-challenges=dns -q --manual-auth-hook /etc/nsd/certbot.pl --manual-cleanup-hook /etc/nsd/cleanup.sh --agree-tos --email <**HIDDEN**> --installer apache

It produced this output:

Missing command line flag or config entry for this setting:
Which VirtualHosts would you like to install the wildcard certificate for?
File: /etc/apache2/sites-enabled/000-default.conf
Addresses: *:80
Names: www.7htradservice.se, sjuharadtradservice.se, www.sjuharadtradservice.se, 7htradservice.se
HTTPS: No
?

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Debian bookworm (RaspiOS-Lite)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

Contents of certbot.pl:

#!/usr/bin/perl

if ($ENV{'CERTBOT_DOMAIN'} =~ m/sju/) {
open(DNSFILE, ">>/etc/nsd/sju.zone");
print DNSFILE "_acme-challenge.".$ENV{'CERTBOT_DOMAIN'}.". IN TXT \"".$ENV{'CERTBOT_VALIDATION'}."\"\n";
close(DNSFILE);
}
else
{
open(DNSFILE, ">>/etc/nsd/7h.zone");
print DNSFILE "_acme-challenge.".$ENV{'CERTBOT_DOMAIN'}.". IN TXT \"".$ENV{'CERTBOT_VALIDATION'}."\"\n";
close(DNSFILE);
}

system('/usr/sbin/nsd-control reload');

Contents of cleanup.sh:

#!/bin/sh

cp /etc/nsd/7h.backup /etc/nsd/7h.zone
cp /etc/nsd/sju.backup /etc/nsd/sju.zone
nsd-control reload

I wonder, how do I supply which VirtualHost -i apache should apply the certificate on?
I can't find this in the documentation, how I supply a command-line to specify which virtualhost I should apply the certificate for.

Seems the certificate went through tough, so the issuance works, just the install that doesn't work:

Guess it would be better to write a own --deploy-hook, but theres no documentation or examples on that either.
Only the auth-hook and cleanup-hook I could find documentation on.

2

You might do better by not using apache to install the cert.
For now, just focus on getting the cert.
Once you have that part working, then install the cert wherever needed [manually if necessary].
If all goes well, certbot will renew the cert every two months.
And you can restart/reload apache after each renewal with a --deploy-hook script.

5 Likes
3

yeah realized that. Pointed my apache2 to:

        SSLCertificateFile      /etc/letsencrypt/live/sjuharadtradservice.se/fullchain.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/sjuharadtradservice.se/privkey.pem

and then did in crontab -e:

1 1 1 * * certbot renew --force-renewal --manual --q --manual-auth-hook /etc/nsd/certbot.pl --manual-cleanup-hook /etc/nsd/cleanup.sh --deploy-hook "systemctl restart apache2"

4

Don't do it that way.

4 Likes
5

Why not? Since crontab is 1 1 1 * *, it will run once a month, if certbot for some reason decides its not worth renewing the cert, it could expire in the middle of a month.

Or does certbot always (as in ALWAYS) renew a certificate with less than 32 days on it?

6

The recommended renewal setting is to check twice a day.
And it will only renew when needed - when the days left are less than 30 [default].
[that's 60 checks per month]

Your method only tries one a month.
What happens when that one try fails?

4 Likes
7

Also, one minute after the hour may be a busy time.
It should be more random...

3 Likes
8

thats why I did 2 --force-renewal. So cert is valid 90 days, it will do 1 forced after 30 days, and 1 forced after 60 days, and then it will expire shortly before the third force (as a month is usually 31 days).

This means if one of these hits fails, I will still have a cert valid from the previous run that is valid ATLEAST 30 days.

2 failed hits in a row, then the site will be invalid for a few days before the third hit goes.

Aah good point about time, ill set it more random, ergo put a time I found on random.org as cron execution time.

9

You may be over-thinking/over-engineering your scheduling process.

Again, the recommended setting is to have it check twice a day.
That check is done locally - not online.
And it will then try to renew only when the cert life left is less than 30 days [that number can be adjusted].

That's a 60 times more accurate renewal chance!

4 Likes
10

That's very wasteful. If everybody woud renew twice where just once was in order, the lod on Let's Encrypts systems would DOUBLE! I.e., from 5 million certs daily to 10 million!

Please discontinue your incorrect and wasteful method of renewing and simply let Certbot determine when it's time to renew, without forcing anything.

As mentioned, the current recommendation is to run Certbot twice a day and NOT use --force-renewal.

2 Likes
11

See this topic for the cronjob that Certbot creates. It randomizes start times
https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal

You need to check for renewal frequently because sometimes Let's Encrypt will revoke certs due to mis-issuance. This is rare but happened just a few weeks ago.

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.