How to ignore few domains to get renewed while using ./certbot-auto renew --all


#1

Hi,

I have domains that need to validate in different ways like HTTP, DNS. I have already written scripts to take care of HTTP challenges and cleaning those codes. So, when I just invoke below command, the certs are getting renewed.

./certbot-auto renew --cert-name domain_name (--force-renewal)

At the same time, I need to validate some of the domains using DNS challenges and I’m doing it manually.
I want to ignore those domains that will be renewed through DNS challenge when I run below command.

./certbot-auto renew --all

Can anyone please help me.

Cheers,
Rajesh


#2

Hi @Rajesh,

As far as I know you have a couple of options:

1.- Edit renewal conf file for your domain and add the following option to your renewal section:

autorenew = False

Example:

# Options used in the renewal process
[renewalparams]
autorenew = False
authenticator = manual
account = 03afb3e3119087bd1c242bcd3652f456
manual_public_ip_logging_ok = True
manual_auth_hook = /home/sahsanu/scripts/cloudns/cloudns.bash
server = https://acme-staging-v02.api.letsencrypt.org/directory
manual_cleanup_hook = /home/sahsanu/scripts/cloudns/cleanup_cloudns.bash
pref_challs = dns-01,

2.- Or you can edit the renewal conf file for your domain and change the option renew_before_expiry, by default this option is commented so certbot-auto will try to renew the cert if the cert will expiry in 30 or less days, so you can change it and put 1 or 0 instead of 30

Before:

# renew_before_expiry = 30 days

After:

renew_before_expiry = 0 days

Cheers,
sahsanu


#3

I don’t think there is an easy way to include/exclude certificates grouped by renewal type.
You may have to also use --cert-name for the domains using DNS challenge.
Something like:
./certbot-auto renew --cert-name dns1.domain --manual --preferred-challenges=dns --manual-auth-hook=/path/to/dns/authenticator.sh


#4

Yes, I can run that command by mentioning the domain name. The concern is that I have more than 100 domains so I need to run that command for all those domains every time when I’m doing renewal operation…

If I’m able to ignore few, then it’s make things so simple for me.

Cheers,
Rajesh


#5

Can you combine domain names into less certs?

I’m curious…
Usually people choose DNS only when they have to - like for wildcards.
Do you have 100 separate wildcard certs?
Or are you doing DNS authentication for some other reason?


#6

Thanks. I’ll try the first option and see if they got ignored or not.

And one query is that if I put the auto-renew as false, then am I able to run the below command for those domains.

./certbot-auto renew --cert-name domain_name


#7

Usually people choose DNS only when they have to - like for wildcards.

Yeah, but my case is different. I have a few domains that can’t validate though HTTP challenge.

Let me tell you with an example.

www.example.com is one website and that’ll be accessible to the world with one particular path like www.example.com/cgi-bin/account/get-download/?file=account.pdf

Rest all cases, the website throws 404/403 error so can’t validate them with HTTP challenge.

And Nope, I don’t have 100 wildcard certs. I have more than 100 certs (including SANs) that are validating with HTTP and less than 10 are validating with DNS.

Cheers,
Rajesh


#8

Can’t you add a special handling for the location /.well-known/acme-challenge/ requests?


#9

Nope, I think /.well-known/acme-challenge/ dir should be created at Document root of the server and that’s the only path where lets encrypt will look for the code to validate.


Rajesh


#10

Hi @Rajesh,

As you have added autorenew = False to the domain’s renewal conf then the above command won’t try to renew the certificate for that domain, you need to add --force-renewal parameter.

./certbot-auto renew --cert-name domain_name --force-renewal

Cheers,
sahsanu


#11

I don’t know what is the web server you are using but as @rg305 said, if you are using Apache you can add an Alias so all the requests to /.well-known/acme-challenge/ could be directed to another path on your disk, the same for nginx, you can use location directives to do the same but doing these changes you should modify the renewal conf for existing domains so I don’t know how easy would be in your environment.


#13

I’m using Apache only. I don’t know how to add aliases? Do I need to change it Apache conf file?

Cheers
Rajesh


#14

I have used a global alias in Apache without any problem (which affects all vhost configs).
First, ensure you have alias module loaded:
LoadModule alias_module modules/mod_alias.so

Then insert the alias statement in the IfModule alias block (if you don’t have one then just add it)
[use any existing path you like, or create one specifically just for them]
<IfModule alias_module>
Alias /.well-known/acme-challenge/ /path/to/acme-challenges/
</IfModule>


#15

Hi @Rajesh,

As you are using Apache, as @rg305 said, you can add an Alias directive to your main Apache conf so ALL the requests to http://anyofyourdomains.tld/.well-known/acme-challenge/whatever will be directed to another directory in your server instead of use the document root of your domain.

Following @rg305 example:

You could create /var/www/letsencrypt/ and use it as the dir to redirect all the challenge requests for your domains so you should add this line to your main apache conf file.

<IfModule alias_module>
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
</IfModule>

After reload/restart Apache you should test wheteher it is working or not with your domains, create a test file and check whether you can access it.

echo "This is a test" > /var/www/letsencrypt/.well-known/acme-challenge/test

And now try to access the test file: http://yourdomain.tld/.well-known/acme-challenge/test

if it works, you must use /var/www/letsencrypt/ as webroot when issuing new certificates and also, if you already issued certificates for your domains, you should modify their renewal conf file located here /etc/letsencrypt/renewal/ and change the webroot map for your domains to point to /var/www/letsencrypt/ instead of their document root.

Anyway, instead of using the Alias in the main Apache conf file, you could use it only in the VirtualHost section of the problematic domains so it will only affect that domain/domains that belongs to that VirtualHost section.

Cheers,
sahsanu


#16

This is great!

Thank you so much @sahsanu and @rg305, this works for me.

Cheers
Rajesh