I have set a letsencrypt cert for apache but I actually use the certificate in squid, so when it’s time to renew the certificate, the Authority doesn’t find the challenge since it reads from squid. I would love to make a bypass in squid for the verification but I don’t know what to bypass. Or is there another solution? Can anyone help me? Thank you very much!
If you want to bypass requests to challenge files, you have to use http-01 authorization instead of tls-sni-01. Then you have to make sure, that URLs starting with /.well-known/acme-challenge/ are delivered locally.
Thank you for your answer! Let me see if I got that right: I have to make sure that I can access https://carta.ro/.well-known/acme-challenge/ from a browser and then I change the command in order for certbot to use the http-01 authorization instead of tls-sni-01?
Now I can access http://carta.ro/.well-known/acme-challenge/ (no https).
As I understand (please let me know if I’m wrong) I tell certbot-auto to use the http-01 authorization by adding “–preferred-challenges=http” to the command so the final command is: “/usr/share/certbot/certbot-auto renew --no-self-upgrade --preferred-challenges=http” ran as root. But now I get this error:
Attempting to renew cert (carta.ro) from /etc/letsencrypt/renewal/carta.ro.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
A short explanation that I got from https://certbot.eff.org/docs/using.html#renewing-certificates: if the domains are all listed like in the certificate, then a renewal is attempted. If one domain is missing then the command will issue a new certificate - I didn’t want that so I listed every domain with “-d” in front of it. The “–webroot” makes it that the validation of the domain will happen by placing a file in the “.well-known/acme-challenge/” which will be found in the folder specified after the “-w” option.