I am using certbot for my certificates with a varnish cache running on port 80 and apache running on port 81(Docker is using 8080). If i manually make a certificate for *.domain.com and add the acme challenge TXT to my DNS it works fine. However, I went to do a dry run before adding a cron to my system and i got 503 error which is something to do with Varnish and it not being able to reach apache. Is there a way around this so it auto renews without fail? And is there a way for me to have the Cloudflare proxy on and renew without failure? And what command would I use on crontab for automatic renewal of all certs?
The answer to a lot of these questions depend on exactly how you have been trying to use Certbot so far.
Some important points I can pick out:
If you intend to use a wildcard *.example.com certificate, you must use a DNS plugin if you want autorenewal to work. For Cloudflare, use certbot-dns-cloudflare.
The autorenewal cron job is typically automatically set up as part of the installation process of Certbot. Following the instructions here will tell you what to do.
My personal suggestion, if you want to have an easy time of this, try following the instructions for either Certbot snap or Certbot pip. Either one will allow you to use the Cloudflare DNS plugin and get your autorenewing wildcard certificate.
Yes, use cloudflare for lets encrypt, autorenew will then work normally. This assumes your DNS is hosted on Cloudflare (t sounds like it is).
DNS validation will pretty much always work, http validation needs a path through port 80 for all variations of your domain to a corresponding /.well-known/acme-challenge/ path for challenges. If you're doing anything remotely complex with http caches/proxying and different domains on different ports etc then DNS validation is often a simpler path to success.
Sorry for the late response, didnt get an email saying someone responded. If i run certbot renew --dry-run it doesnt work but if i run certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/credentials.ini --dry-run it works but apache doesnt restart itself but i dont how how to add this into the command. I see when making certs it runs --post-hook "service apache2 reload" but im not sure how to implement this into the renew command.
I have to renew with dns-cloudflare so im unsure as to how to setup the crontab. The default one tries to run with certbot not with the dns-cloudflare extension. If you know how to do this id be so grateful.
I figured it out as such, I have a cron that runs a custom script every 5 mins. The script runs 2 commands, one for each account that are used for the domains(On separate cloudflare accounts) and if they dont need renewing it skips them but when they do itll auto renew them