I'm working on getting everything in place for the auto-renew. So the concept is that I just have to add a cron job 'certbot renew' and then my manual process to update the application configs and restarts. I used the manual http challenge to authenticate my server control and this was achieved with the following from the 'certbot certonly --manual...' command:
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" 2QozExfku1jskZWPW3aNNU9BvjCwvqBRlPhmgBTTsQo.yJJle1jWO-ipoXBOvyaFxNF8I6VXh8waSq9lWMqam6c > .well-known/acme-challenge/2QozExfku1jskZWPW3aNNU9BvjCwvqBRlPhmgBTTsQo
run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c
"import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer(('', 9823), SimpleHTTPServer.SimpleHTTPRequestHandler);
s.serve_forever()"
Press Enter to Continue
This works fine to pull the cert. So for automating the renewal, the question is... Does certbot need to connect and to this temp server every time it renews?
Correct the website is NAT’ed from the incoming IP with any port to the server at a specific port. I redirect port 80 to port 9823. It is an Atlassian Bitbucket application (which uses tomcat) running on Linux. I had tried many different ways to do this but was not able to get any of them to work. But spinning up the stand alone server does work. So I was happy… Until I started thinking about the renew… After I got the cert I shutdown the stand alone server and dropped the 80->9823 NAT rule. So that is why I was asking if renew needs to do the stand alone server again to renew. Which we could do but I was hoping to totally automate this.
You will need to reperform the challenges when you renew, so you’ll need to have the same method that you used initially available once again (in this case, running the standalone server with the port redirection in place again).
If you’d like to discuss why the other authentication methods didn’t work for you, maybe we could figure out whether you have any other options.
If you're going to renew using the HTTP challenge, the Let's Encrypt servers need to be able to reach http://:80$HOSTNAME. So if you don't have a webserver running there already, yes, you'll need to start one up on order to solve the challenge.
You might be better off looking into a client that does the DNS challenge well, like acme.sh or dehydrated, and using that challenge instead.
Thanks @schoen, it was a while ago (like when LetsEncrypted first went live)… But I think I could not get it to ever find/read the well-know key. We currently have self-signed certs and the app only offers SSL (this is mandatory for security and compliance reasons). Just got going again with LE certs…
Thanks @danb35 I do have total access to our DNS records but have not tried it or I was unsuccessful or ran with what I did get working… Can not remember. Might look into it again.
Certbot has been the only tool that I have used and I’m familiar with it. I’m pretty sure it does DNS so maybe I should look into that for my automation desires.
Certbot does support the DNS challenge, but doesn’t support automating it. Some of the other clients (including the two I mentioned) do support automating the DNS updates with a number of different DNS hosts.
I went back to using certbot manually. I had nothing but intermittent problems with the DNS. Sometimes it worked, sometimes it didn’t, and sometimes it did then it didn’t.
How does the multiple domain cert work? I basically have a bunch of services running on one big server. I have DNS record for the domain say example.com which points to 1.2.3.4 then I have subdomains setup like:
@pnelson, Let’s Encrypt is happy to issue multi-domain certs, but the difficulty is proving at the same time from the same requesting machine that it can act on behalf of someone who controls all of the domain names that will appear in the certificate.
There are several approaches to this. You can probably do it by making one server send an HTTP 301 redirection for /.well-known/acme-challenge pointing to the other server. Then the other server will be able to request and obtain a certificate covering all of the domains (because the certificate authority is willing to follow 301 redirects when using the HTTP-01 challenge type).
This can also be done using the DNS-01 challenge type, probably more easily with acme.sh instead of Certbot, if you have a way to update the DNS records through an API.
It was a real headache working with DNS-01 challenge and acme.sh in general. I’m familiar with certbot and I will continue to use it as long as its getting me certs.
Not exactly a requirement with the 301 redirect strategy!
That depends which list of domains you want the cert to apply to. You'll get whichever certificate you request, assuming that you can pass all of the challenges that the CA issues.