Difficulty with renew


#1

I run codeigniter sites. I run them https only. I use a vhosts file to configure them. I also restrict access to some of them via IP address limiting.

I have never been able to get certbot running without webroot. I got cerbot to run by making a dummy site that allows access (no framework) and using webroot. So I have valid certs. But I need to get auto-renew running.

The problems with webroot are:

  1. the code does http only so if I always force https, I get an error
  2. Frameworks mess with the URLS. I can open up /.well-known as a non-framework directory, but it still doesn’t work for some reason.

What I really need is for certbot to work without webroot.

my domain is www.carespan.help
It is set as an A record to point to my IP (the site works)
My apache config is as follows:

ServerName www.carespan.help
DocumentRoot /home/httpd/sites/carespanhelp/doc-root/
<Directory ‘/home/httpd/sites/carespanhelp/doc-root’>
Require all granted
AllowOverride All
Options -Indexes

ServerName www.carespan.help
DocumentRoot /home/httpd/sites/carespanhelp/doc-root/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.carespan.help/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.carespan.help/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.carespan.help/chain.pem
<Directory ‘/home/httpd/sites/carespanhelp/doc-root’>
Require all granted
AllowOverride All
Options -Indexes


Does ‘renew’ always use webroot? I get this error when running certbot renew --dry-run

IMPORTANT NOTES:


#2

“renew” should try and renew using whatever method you used to generate the certificate in the first place. If you created it with webroot, then “renew” will use webroot.

Would the DNS challenge be better for you ? that just requires a TXT record added to your DNS with the token in it. If you have a reasonable API into your DNS, then that might be a lot easier for you.


#3

I’ll try that. I got renew to work by opening ip .well-known, but I still cannot restrict IPs or certbot will never find it. I’ll try the TXT method. That should work. Thanks!


#4

I spoke before looking. There is a ton of old reference to pre-implementation of DNS challenge. I cannot seem to find a simple how-to anywhere. Any help links?


#5

hi doug

it’s as simple as adding a TXT record to your DNS

that’s probably why most people don’t go in to depth

Andrei


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.