Having trouble with combining plugins

I am able to run "certbot --apache -d soul-bass.com" no problem but because I am migrating servers I need to install the cert using DNS verification and renew it automatically using Apache.

This fails "certbot run -a apache -i manual -d soul-bass.com"

My domain is:

soul-bass.com

I ran this command:

certbot run -a apache -i manual -d soul-bass.com

It produced this output:

An unexpected error occurred:
zope.interface.exceptions.MultipleInvalid: The object <certbot._internal.plugins.manual.Authenticator object at 0x7fb47f8bcb50> has failed to implement interface :
Does not declaratively implement the interface
The certbot.interfaces.IInstaller.get_all_names() attribute was not provided
The certbot.interfaces.IInstaller.deploy_cert(domain, cert_path, key_path, chain_path, fullchain_path) attribute was not provided
The certbot.interfaces.IInstaller.enhance(domain, enhancement, options=None) attribute was not provided
The certbot.interfaces.IInstaller.supported_enhancements() attribute was not provided
The certbot.interfaces.IInstaller.save(title=None, temporary=False) attribute was not provided
The certbot.interfaces.IInstaller.rollback_checkpoints(rollback=1) attribute was not provided
The certbot.interfaces.IInstaller.recovery_routine() attribute was not provided
The certbot.interfaces.IInstaller.config_test() attribute was not provided
The certbot.interfaces.IInstaller.restart() attribute was not provided

My web server is (include version):

The operating system my web server runs on is (include version):

Debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.12.0

That seems like it should work but you must format it like this instead

certbot certonly -a apache -d soul-bass.com

Using -a apache does not do a DNS challenge. It uses the apache authenticator so is an http challenge.

Can't you just copy over your entire /etc/letsencrypt folder structure and use that on your new server? Make sure to preserve the symlinks in the ../live/ folders

Then, once its running renew those certs with apache plug-in like you show and make sure the autorenew is setup too.

3 Likes

The new server is a completely different OS and much higher version so I don't want to cause trouble by copying the whole folder. But it's a good idea, are there certain directories I could copy rather than the thole folder?

That folder structure only contains data files. There is no software to be incompatible with new OS.

3 Likes

I think OP would like to do -a manual -i apache. I.e.: the other way around :wink:

@binaryfarm Note that you cannot automatically renew any certificate issued with the manual authenticator, unless you can provide scripts which automatically add (and remove) the required TXT record for DNS authentication.

3 Likes

So how do I recreate all the symlinks that haven't copied? Also I have a lot of sites on this server and this seems beyond manually creating them.

Will apache create the correct config files when I restart even though cetrbot didn't install these certs?

You could try certbot update_symlinks (see here) but another option is just to use a method to transfer that preserves them. If you let us know what OS are old/new we may suggest something.

3 Likes

And what about Apache, is that going to play ball when I restart it?

You mean the apache plug-in? Because the renewal conf files are transferred over in /etc/letsencrypt

Are you also transferring your apache conf? Because that would point to all the same /etc/letsencrypt files anyway

3 Likes

It's a different version of Apache, I am going from Centos 8 to Debian 11 which has a completely different way of configuring sites. Debian uses the sites-enabled folder and Centos 8 doesn't. Certbot update_symlinks doesn't work by the way it expects a symlink to exist.

Can't you just use tar to copy the files over? Maybe like:

tar -cvzf letsencrypt.tar.gz /etc/letsencrypt

Your apache folder structure may be different but are your VirtualHosts the same? In other words, how are you setting up your new server for https VirtualHosts?

3 Likes

The Apache on Centos 8 just requires a config file, on Debian you also have to run a2ensite, also on Debian certbot creates a separate config file for SSL as oppose to edited the config file on Centos 8.

I must just resign myself to going through each site as it will be quicker.

It sounds like you want the apache plug-in to setup new VirtualHosts rather than trying to copy those over by hand into the new debian layout.

You could do what you described at the start and get a set of certs on debian using manual DNS challenge with apache installer. It's just the opposite parameters of what you started with (as Osiris noted) so something like:

certbot -a manual -i apache --preferred-challenges=dns-01 -d soul-bass.com

Then, once the new server is running you need to run certbot again to change from manual DNS to apache authenticator and installer.

3 Likes

So installer refers to the renewal? That seems the badly worded.

The authenticator is used to demonstrate control of the domain name. If successful:

  1. you are issued a cert
  2. the installer updates your apache config accordingly.
  3. A renewal conf file is created so these options are used for the certbot renewal.

Does that help?

3 Likes

Note: Manual authentication can't be automated.

So... At some point you should switch to a method that can be automated.
[hopefully sooner than later]

3 Likes