I have domains that need to validate in different ways like HTTP, DNS. I have already written scripts to take care of HTTP challenges and cleaning those codes. So, when I just invoke below command, the certs are getting renewed.
At the same time, I need to validate some of the domains using DNS challenges and I’m doing it manually.
I want to ignore those domains that will be renewed through DNS challenge when I run below command.
1.- Edit renewal conf file for your domain and add the following option to your renewal section:
autorenew = False
Example:
# Options used in the renewal process
[renewalparams]
autorenew = False
authenticator = manual
account = 03afb3e3119087bd1c242bcd3652f456
manual_public_ip_logging_ok = True
manual_auth_hook = /home/sahsanu/scripts/cloudns/cloudns.bash
server = https://acme-staging-v02.api.letsencrypt.org/directory
manual_cleanup_hook = /home/sahsanu/scripts/cloudns/cleanup_cloudns.bash
pref_challs = dns-01,
2.- Or you can edit the renewal conf file for your domain and change the option renew_before_expiry, by default this option is commented so certbot-auto will try to renew the cert if the cert will expiry in 30 or less days, so you can change it and put 1 or 0 instead of 30
I don’t think there is an easy way to include/exclude certificates grouped by renewal type.
You may have to also use --cert-name for the domains using DNS challenge.
Something like: ./certbot-auto renew --cert-name dns1.domain --manual --preferred-challenges=dns --manual-auth-hook=/path/to/dns/authenticator.sh
Yes, I can run that command by mentioning the domain name. The concern is that I have more than 100 domains so I need to run that command for all those domains every time when I’m doing renewal operation…
If I’m able to ignore few, then it’s make things so simple for me.
I’m curious…
Usually people choose DNS only when they have to - like for wildcards.
Do you have 100 separate wildcard certs?
Or are you doing DNS authentication for some other reason?
Rest all cases, the website throws 404/403 error so can't validate them with HTTP challenge.
And Nope, I don't have 100 wildcard certs. I have more than 100 certs (including SANs) that are validating with HTTP and less than 10 are validating with DNS.
Nope, I think /.well-known/acme-challenge/ dir should be created at Document root of the server and that’s the only path where lets encrypt will look for the code to validate.
As you have added autorenew = False to the domain's renewal conf then the above command won't try to renew the certificate for that domain, you need to add --force-renewal parameter.
I don't know what is the web server you are using but as @rg305 said, if you are using Apache you can add an Alias so all the requests to /.well-known/acme-challenge/ could be directed to another path on your disk, the same for nginx, you can use location directives to do the same but doing these changes you should modify the renewal conf for existing domains so I don't know how easy would be in your environment.
I have used a global alias in Apache without any problem (which affects all vhost configs).
First, ensure you have alias module loaded: LoadModule alias_module modules/mod_alias.so
Then insert the alias statement in the IfModule alias block (if you don’t have one then just add it)
[use any existing path you like, or create one specifically just for them] <IfModule alias_module> Alias /.well-known/acme-challenge/ /path/to/acme-challenges/ </IfModule>
As you are using Apache, as @rg305 said, you can add an Alias directive to your main Apache conf so ALL the requests to http://anyofyourdomains.tld/.well-known/acme-challenge/whatever will be directed to another directory in your server instead of use the document root of your domain.
You could create /var/www/letsencrypt/ and use it as the dir to redirect all the challenge requests for your domains so you should add this line to your main apache conf file.
<IfModule alias_module>
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
</IfModule>
After reload/restart Apache you should test wheteher it is working or not with your domains, create a test file and check whether you can access it.
echo "This is a test" > /var/www/letsencrypt/.well-known/acme-challenge/test
if it works, you must use /var/www/letsencrypt/ as webroot when issuing new certificates and also, if you already issued certificates for your domains, you should modify their renewal conf file located here /etc/letsencrypt/renewal/ and change the webroot map for your domains to point to /var/www/letsencrypt/ instead of their document root.
Anyway, instead of using the Alias in the main Apache conf file, you could use it only in the VirtualHost section of the problematic domains so it will only affect that domain/domains that belongs to that VirtualHost section.