root@server:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: scotchandiron.org
2: www.scotchandiron.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):its@schw.im
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to its@schw.im.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
My web server is (include version): Apache/2.4.25
The operating system my web server runs on is (include version): Debian 9
I see three possible problems with the command line there:
There is no --installer apache2; it’s just called --installer apache. (service apache2 stop and service apache2 start are probably correct, however.)
The \ -d is wrong unless there is a line break immediately after the \ character (otherwise, it puts a quoted space into the command which will confuse the argument parser).
If the space in --pos t-hook is really there in your command line, that’s a mistake.
Hopefully fixing these things will allow the command to run successfully.
I sorted my quotes out and got it to run but I’ve got a new error:
root@server:/var/log/letsencrypt# certbot --authenticator standalone --installer apache -d scotchandiron.org -d www.scotchandiron.org --pre-hook "service apache2 stop" --post-hook "service apache2 start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Running pre-hook command: service apache2 stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for scotchandiron.org
http-01 challenge for www.scotchandiron.org
Waiting for verification...
Cleaning up challenges
Running post-hook command: service apache2 start
Failed authorization procedure. www.scotchandiron.org (http-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.scotchandiron.org
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.scotchandiron.org
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.scotchandiron.org
root@server:/var/log/letsencrypt#
I’m not sure if this means that not enough time has passed from when I created the a record for the domains to resolve correctly for LE or if there’s another issue at play.
The www version of the name really doesn’t exist at your authoritative nameservers (for example NS2.101DOMAIN.COM). Are you sure that you’ve really created this record?
I successfully created the certs and it’s resolving properly. Thanks very much for all your help. I do have a question though.
Since the certbot application can not run without this special command, does this mean that I can’t benefit from the autorenewal feature? Will I have to run this command every 89 days?
I think that's a misapprehension. When you specify options like these and successfully obtain a certificate, those options are saved in the renewal configuration file under /etc/letsencrypt/renewal, and will be used automatically by certbot renew in the future. So autorenewal should still be possible in this setup.
The main case that can't autorenew is --manual (or --authenticator manual), but you didn't use that, so you shouldn't be affected by it!
Hi there @Osiris and thanks for taking the time to help!
I apologize but I’m not sure what you mean. I tried the initial command listed in OP, received the warning, did some searching to find that Deb 9’s certbot seemed to be too old, requiring a workaround, found the workaround thread on this forum and ended up with a working cert.
Is there something I should have done differently?
That's probably very true. I assume you're using the Debian stretch packages? Because that version is indeed very old, 0.10.2. However, the stretch-backports repository has a rather up to date version of 0.25! That's also the recommended method of installing certbot. But I don't use Debian myself, so I have no idea if you can combine stretch-backports just for certbot with the rest of your packages just stretch.
But anyway, that doesn't really matter, because even with the 0.10 there should be 2 options. See below:
Very nice! A working certificate is obviously the end goal here. However, there's still one thing I don't understand. In the workaround thread @schoen has provided, it mentions two possible workarounds:
"# Temporary outage method" (which uses --authenticator standalone, the one you're using)
I'm not sure why you've opted for the "temporary outage method"? Because it requires Apache to be stopped, cert to be renewd and Apache to be started again. Between starting and stopping, you're site will be down for just a moment.
The webroot method doesn't have that limitation. I'm not saying you did anything wrong, nor am I saying you should change anything, but I'm trying to figure out the reason why you opted for an option with downtime instead of the option without downtime.
Oh, I understand what you mean. To be honest, the only reason I didn't go that route is that I didn't understand that it would be the preferred method. I like the fact that it wouldn't require apache to restart.
Would I simply run this command to change the way certbot handles these two domains or would running this command somehow cause a problem with what I've already done?
Seems correct to me, assuming the webroot path is correct for that website and there aren't any strange rewrite rules preventing the Let's Encrypt validation server from retrieving the token file from http://(www.)scotchandiron.org/.well-known/acme-challenge/
It shouldn't if you haven't issued 5 or more certificates the past 7 days. Otherwise, you might run into one of the rate limits.
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://scotchandiron.org and
https://www.scotchandiron.org