Certbot Renew Automation for HTTP Challenge Question


#1

I’m working on getting everything in place for the auto-renew. So the concept is that I just have to add a cron job ‘certbot renew’ and then my manual process to update the application configs and restarts. I used the manual http challenge to authenticate my server control and this was achieved with the following from the ‘certbot certonly --manual…’ command:

If you don’t have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf “%s” 2QozExfku1jskZWPW3aNNU9BvjCwvqBRlPhmgBTTsQo.yJJle1jWO-ipoXBOvyaFxNF8I6VXh8waSq9lWMqam6c > .well-known/acme-challenge/2QozExfku1jskZWPW3aNNU9BvjCwvqBRlPhmgBTTsQo
run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c
“import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer((’’, 9823), SimpleHTTPServer.SimpleHTTPRequestHandler);
s.serve_forever()”

Press Enter to Continue

This works fine to pull the cert. So for automating the renewal, the question is… Does certbot need to connect and to this temp server every time it renews?


#2

hi @pnelson

Can you describe your setup a bit more

What Web Server are using on What OS?

Also why are you spinning up a stand alone server? Does your web server not listen on port 80?

Andrei


#3

Correct the website is NAT’ed from the incoming IP with any port to the server at a specific port. I redirect port 80 to port 9823. It is an Atlassian Bitbucket application (which uses tomcat) running on Linux. I had tried many different ways to do this but was not able to get any of them to work. But spinning up the stand alone server does work. So I was happy… Until I started thinking about the renew… After I got the cert I shutdown the stand alone server and dropped the 80->9823 NAT rule. So that is why I was asking if renew needs to do the stand alone server again to renew. Which we could do but I was hoping to totally automate this.


#4

Hi @pnelson,

You will need to reperform the challenges when you renew, so you’ll need to have the same method that you used initially available once again (in this case, running the standalone server with the port redirection in place again).

If you’d like to discuss why the other authentication methods didn’t work for you, maybe we could figure out whether you have any other options.


#5

If you’re going to renew using the HTTP challenge, the Let’s Encrypt servers need to be able to reach http://:80$HOSTNAME. So if you don’t have a webserver running there already, yes, you’ll need to start one up on order to solve the challenge.

You might be better off looking into a client that does the DNS challenge well, like acme.sh or dehydrated, and using that challenge instead.


#6

Thanks @schoen, it was a while ago (like when LetsEncrypted first went live)… But I think I could not get it to ever find/read the well-know key. We currently have self-signed certs and the app only offers SSL (this is mandatory for security and compliance reasons). Just got going again with LE certs…

Thanks @danb35 I do have total access to our DNS records but have not tried it or I was unsuccessful or ran with what I did get working… Can not remember. Might look into it again.

Certbot has been the only tool that I have used and I’m familiar with it. I’m pretty sure it does DNS so maybe I should look into that for my automation desires.


#7

Certbot does support the DNS challenge, but doesn’t support automating it. Some of the other clients (including the two I mentioned) do support automating the DNS updates with a number of different DNS hosts.


#8

Do any support automating the DNS with gandi.net?


#9

Yes, at least acme.sh does:


#10

OK I’m Testing out DNS. I am trying it manually of course. Is it important to wait (registra says 20 minutes) prior to clicking continue?


#11

Sorry, what was the message that you saw that told you to wait 20 minutes?


#12

It was on the Gandi.Net site…

Although in my testing it seems to go right on through almost imediately.


#13

hi @danb35

Technically not true - it just requires a script and a hook.

Andrei


#14

I went back to using certbot manually. I had nothing but intermittent problems with the DNS. Sometimes it worked, sometimes it didn’t, and sometimes it did then it didn’t.


#15

How does the multiple domain cert work? I basically have a bunch of services running on one big server. I have DNS record for the domain say example.com which points to 1.2.3.4 then I have subdomains setup like:

a.example.com -> 1.2.3.5
b.example.com -> 1.2.3.6
c.example.com -> 1.2.3.7
d.example.com -> 1.2.3.8

a, b, and c are NATed to the same server at our firewall.
d is NAT’ed to virtual server on a different system server.

Can I produce one cert for a,b,c,and d? Or 2? Or do I have to do 4?

This might make automation easier as I just have to do it once.


#16

@pnelson, Let’s Encrypt is happy to issue multi-domain certs, but the difficulty is proving at the same time from the same requesting machine that it can act on behalf of someone who controls all of the domain names that will appear in the certificate.

There are several approaches to this. You can probably do it by making one server send an HTTP 301 redirection for /.well-known/acme-challenge pointing to the other server. Then the other server will be able to request and obtain a certificate covering all of the domains (because the certificate authority is willing to follow 301 redirects when using the HTTP-01 challenge type).

This can also be done using the DNS-01 challenge type, probably more easily with acme.sh instead of Certbot, if you have a way to update the DNS records through an API.


#17

@schoen, OK so it looks like a and b and c could be one cert seeing it really has to do with the physical presents of acme-challenge on the said server. I could do that easily and the test I just ran worked well. So does the domain list look like:
-d example.com,a.example.com,b.example.com,c.example.com
or just:
-d a.example.com,b.example.com,c.example.com

It was a real headache working with DNS-01 challenge and acme.sh in general. I’m familiar with certbot and I will continue to use it as long as its getting me certs.


#18

Not exactly a requirement with the 301 redirect strategy!

That depends which list of domains you want the cert to apply to. You’ll get whichever certificate you request, assuming that you can pass all of the challenges that the CA issues.


#19

Ah so it does the challenge (what every challenge) to them all.


#20

Yes-ish.

Usually most straight forward way to renew is provide same mechanism as you used to initially generate your cert.