How can I optimize a cert chain include many domains

kakujing · December 27, 2021, 2:12am

Hi guys,

I have taken over a webserver that hosts almost 100+ websites.
But seems the certificate installation has issues.
When I run

certbot renew --dry-run

It shows:

Processing /etc/letsencrypt/renewal/a.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.com
http-01 challenge for b.sg
http-01 challenge for c.com
http-01 challenge for d.com
http-01 challenge for e.com.sg
.... 100+ sites
http-01 challenge for z.com

Seems all of the domains are on a chain. Then here is the renew configuration file:

$:/etc/letsencrypt/renewal$ cat a.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/a.com
cert = /etc/letsencrypt/live/a.com/cert.pem
privkey = /etc/letsencrypt/live/aa.com/privkey.pem
chain = /etc/letsencrypt/live/a.com/chain.pem
fullchain = /etc/letsencrypt/live/a.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = s3gha
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
installer = apache
pre_hook = service apache2 stop
post_hook = service apache2 start

Somehow it shows a standalone authenticator (should be apache) and there is only 1 renewal configuration file.

Here below is the cert information:

openssl crl2pkcs7 -nocrl -certfile fullchain4.pem | openssl pkcs7 -print_certs -text -noout
Certificate:
Data:
Version: 3 (0x2)
...

        Authority Information Access:
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name:
            DNS:a.com, DNS:b.com, DNS:c.com,...

Here is the question, if one of 100+ domains has an issue then the renew will terminal. and as I know it should not stop apache during the renew, also, one domain should have its separate configuration file and cert file.

How can I improve it?

Thanks for your help and Merry Christmas!

rg305 · December 27, 2021, 2:33am

Hi @kakujing and welcome to the LE community forum

The person who managed it before did:

So, they stopped Apache and run certbot in standalone mode (then restarted Apache after).

If you want to change that, you will have to issue a new cert in some other way.
[certbot will remember the last way and do that for each renewal]

The topic question:
How can I optimize a cert chain include many domains
and the post question:
How can I improve it?
Are very subjective.
There is no wrong answer [if you can get certs and renew them automatically]
That said, there is some preferred ways - like: NOT stopping the web service to obtain new certs.

Apache can be complicated to maintain; As it won't complain about many minor errors and will always try to run at all cost. Which can be an issue when other programs are required to understand and update that (potentially) "broken" configuration.
So, I would start there; Make sure the Apache config is correct, with:
sudo apachectl -t -D DUMP_VHOSTS

kakujing · December 27, 2021, 3:06am

Hi @rg305 Merry Christmas! Thanks for your prompt response and apologies for my inappropriate title of this question.

I suppose the previous website maintainer did the wrong way to issue these certificates. I checked the Apache conf folder and found all of the 100+ sites are using the same certification. for example,
b-com-le-ssl.conf is using the certification of a.com:

SSLCertificateFile /etc/letsencrypt/live/a.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/a.com/privkey.pem

sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server a(/etc/apache2/sites-enabled/a-com-le-ssl.conf:2)
port 443 namevhost a.com (/etc/apache2/sites-enabled/a-com-le-ssl.conf:2)
alias www.a.com
port 443 namevhost www.bs.com (/etc/apache2/sites-enabled/b-com-le-ssl.conf:2)
alias b.com
... 100+websites

You are right, and so far the certification is working even though it does look weird.
How can I "issue a new cert in some other way" with less downtime?
I want to:

every single domain use its separate certification file and renew configuration file, keep them tidy
all of them use apache authenticator instead of standalone (do I need to remove all apache SSL configuration files and reissue certifications-- it may lead to all website shutdowns, which may lead to many complaints)
3.no need to reboot apache during renewal

rg305 · December 27, 2021, 3:33am

#1 You need to reissue a cert for each domain (separate certbot command)

#2 You need to reissue certs (one at a time) for each domain and use the certbot apache installer.

#3 Apache can be reloaded (without shutdown/restart)

And Merry Christmas to you too!

system · January 26, 2022, 3:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.