Certbot: one cert per vhost on user-installed apache, best practice?

tbrowder · July 30, 2017, 11:05am

For my needs it looks as if I need one cert command for each, thus calling for a wrapper script.

Can anyone explain the differences between using the apache method versus the webroot method? In either case it seems a restart is needed to use the updated certs.

Thanks.

ahaw021 · July 30, 2017, 12:23pm

hi @tbrowder

If you have a look at the documentation its fairly well covered there

The table can be a bit hard to read so I use a marked down version (below)

Essentially Plugins can do one of two things install or authenticate.

Installers are responsible for installing the certificates while authenticators pass the challenge.

As you can see the apache plugin is an installer and authenticator and uses the TLS-SNI challenge.

The webroot plugin will let you pass the challenge but will not configure the web server for you. The webroot method uses the HTTP challenge.

Andrei

tbrowder · July 31, 2017, 11:16pm

Thanks, Andrei. I have read the docs before but the subtleties of the differences eluded me because they have been somewhat masked by the implentation of the clients I have tried:

acme.sh [bash]

acme-client [C]

I tried certbot initially but was looking for a client which would manage my modest multiple-domain collection rather than a single cert at a time.

After a bit more experience, I am returning to try certbot again and write wrapper scripts to better suit my needs (until Apache’s mod_md is incorporated into stable Apache).

ahaw021 · August 1, 2017, 2:40am

I am not sure where this confusion came from but certbot has been able to manage multiple domains for a while.

Andrei

schoen · August 1, 2017, 2:59am

Maybe one issue is that Certbot currently doesn’t have a mode to obtain more than one new certificate per invocation. So if you had a list of 1000 domains and you wanted 10 certificates collectively covering those 1000 domains, you would currently have to run Certbot 10 different times.

Beyond that, there is currently no automated method to “rebalance” or “reallocate” domains among certificates, e.g. if you later removed 5 domains from that list of 1000 and added 25 domains, Certbot wouldn’t have a method that could automatically obtain 11 certificates with an allocation that covers the 1020 domains that you now want to be covered.

I can imagine that it could be helpful to have a Certbot mode that says “I want to have certificates that, collectively, cover the domains in domains.txt” and to have Certbot first analyze its current ACME authz list and obtain any necessary authorizations, and second analyze its current managed certificates and perform the smallest possible number of new issuances required to ensure that exactly those names listed in domains.txt are covered by currently valid certificates, and no others. We don’t have any features like that at the moment.

ahaw021 · August 1, 2017, 3:19am

Does certbot keep a list of current pending authz? If so where

Andrei

tbrowder · August 2, 2017, 3:45pm

I should have said “multiple certificates.” Certbot, like most of the clients I have tried (with the exception of acme.sh) aren’t capable of that.

system · September 1, 2017, 3:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.