Help With AutoRenewal Certbot

Hi!
I am using certbot for my certificates with a varnish cache running on port 80 and apache running on port 81(Docker is using 8080). If i manually make a certificate for *.domain.com and add the acme challenge TXT to my DNS it works fine. However, I went to do a dry run before adding a cron to my system and i got 503 error which is something to do with Varnish and it not being able to reach apache. Is there a way around this so it auto renews without fail? And is there a way for me to have the Cloudflare proxy on and renew without failure? And what command would I use on crontab for automatic renewal of all certs?

Thanks,
Kian

Hi @Kianwalters05,

The answer to a lot of these questions depend on exactly how you have been trying to use Certbot so far.

Some important points I can pick out:

  • If you intend to use a wildcard *.example.com certificate, you must use a DNS plugin if you want autorenewal to work. For Cloudflare, use certbot-dns-cloudflare.
  • The autorenewal cron job is typically automatically set up as part of the installation process of Certbot. Following the instructions here will tell you what to do.

My personal suggestion, if you want to have an easy time of this, try following the instructions for either Certbot snap or Certbot pip. Either one will allow you to use the Cloudflare DNS plugin and get your autorenewing wildcard certificate.

2 Likes

Hi!
Thanks for this. If i use certbot for cloudflare will letsencrypt auto renew cron work? Or will i have to do it differently?

Kian

Yes, use cloudflare for lets encrypt, autorenew will then work normally. This assumes your DNS is hosted on Cloudflare (t sounds like it is).

DNS validation will pretty much always work, http validation needs a path through port 80 for all variations of your domain to a corresponding /.well-known/acme-challenge/ path for challenges. If you're doing anything remotely complex with http caches/proxying and different domains on different ports etc then DNS validation is often a simpler path to success.

So how would i go about it when varnish is running on port 80 and apache is on 81? Could i normally run the apache Cloudflare commands and then do the normal certbot cron renewal?

If you choose to use the certbot-dns-cloudflare method, then how you set up Apache and Varnish is not important. You can leave them alone.

This is because the process would proceed by means of a TXT record automatically added to your Cloudflare zone. Your webservers don't need to participate.

Breaking this down in the steps you would perform, you would obtain certificate with something like:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /path/to/credentials.ini \
--cert-name example.com -d example.com -d "*.example.com" \
--post-hook "service apache2 reload"

Then, you'd configure Apache to use that certificate.

Finally, test that certificate renewal works:

certbot renew --dry-run

As long as your chosen Certbot installation came with a built-in cronjob, you don't need to do anything else. The certificate renewal will happen automatically at the appropriate time.

The cron isnt there...
What cron line would i use? Im using PIP. And the dry run didnt work

Check out https://certbot.org/renewal-setup for instructions on setting up your own cron job.

Did you set the certificate up using certbot-dns-cloudflare? What's the output of the dry run?

Hi!
Sorry for the late response, didnt get an email saying someone responded. If i run certbot renew --dry-run it doesnt work but if i run certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/credentials.ini --dry-run it works but apache doesnt restart itself but i dont how how to add this into the command. I see when making certs it runs --post-hook "service apache2 reload" but im not sure how to implement this into the renew command.

Also,
I have to renew with dns-cloudflare so im unsure as to how to setup the crontab. The default one tries to run with certbot not with the dns-cloudflare extension. If you know how to do this id be so grateful.

Kian

--dry-run doesn't actually renew the certificate - it just does a trial run to see whether a certificate renewal would be successful. For dry-runs, Apache is not restarted.

If you did a renewal for real (note the --force-renewal instead of --dry-run ... but be careful about running it multiple times, as renewals are subject to rate limits):

certbot renew --force-renewal --cert-name example.com \
 --dns-cloudflare --dns-cloudflare-credentials /root/credentials.ini \
--post-hook "service apache2 reload" 

then you will find that all of those parameters (Cloudflare and Apache reload) will be saved to the renewal parameters file for your certificate, located at /etc/letsencrypt/renewal/example.com.conf.

Certbot will recall and use those parameters when the automatic renewal cron job runs, so you do not need to modify the renewal command. Just the default certbot renew -q will be fine.

To verify that is the case, you can do:

certbot renew --dry-run

Hi!
I figured it out as such, I have a cron that runs a custom script every 5 mins. The script runs 2 commands, one for each account that are used for the domains(On separate cloudflare accounts) and if they dont need renewing it skips them but when they do itll auto renew them

Thanks,
Kian

A post was split to a new topic: Check whether autorenewal has been set to run