How to switch from apache authenticator to webroot on existing certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 43aah.com

I ran this command: NA

It produced this output: NA

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.16.0

I am having some problems with certbot on my server. It uses apache authenticator plugin, and every time renewal runs it is causing apache to respond very slowly because of the reloads. This did not happen when I was using certbot-auto, but now that I am using the binary via snap, this is happening every day when the renewal runs.

First off:

Is it possible to disable the cronjob/system timer that runs certbot renewals twice a day until I can get this figured out?

When I run systemctl list-timers --all I see one for certbot: snap.certbot.renew.timer

Secondly:

I would like to move my existing certificates that use apache authenticator to webroot authenticator. My issue is, I have over 230 certificates on this server that currently use apache authenticator. Here is an example renewal config file in /etc/letsencrypt/renewal:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/43aah.com
cert = /etc/letsencrypt/live/43aah.com/cert.pem
privkey = /etc/letsencrypt/live/43aah.com/privkey.pem
chain = /etc/letsencrypt/live/43aah.com/chain.pem
fullchain = /etc/letsencrypt/live/43aah.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
account = ACCOUNT NUMBER
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache

Is there an easy way to transition all of my certificates to renew using webroot authenticator instead of apache so that I don't have this problem with apache when the auto renewal runs?

Yes, of course.

hmm...
I suppose that depends on your definition of "easy".
Some would say anything/everything is "easy"... so any way that can be used would be easy (for them).
Some don't.
I say... not so easy.
Unless all the document roots are the same [which is highly unlikely].
OR
You switch to a single dedicated challenge folder root [easier - but still not easy for some]

Easy for all would be a tedious one by one manual fix - which kind of negates the easiness.
Relatively easy (with some coding skills) is NOT to use webroot but instead to remove the line "authenticator = apache" from all renewal configs and then adding a global alias to handle all the challenge requests for all the domains in one single location - this, of course, is also subject to the web server software (and version) being used and the skill level of the coder.
[trying to be mindful of all potential readers and the lifespan of this topic]

What would be the way to disable the cronjob/system timer for certbot?

All of the sites on the server live in /var/www/html/

Could I run this for each site to move them over to webroot authentication, and force renewal on each one so it is updated?

certbot certonly --webroot -w /var/www/html/domain.com/httpdocs -d domain.com -d www.domain.com

Try:
systemctl stop certbot.timer
systemctl disable certbot.timer

But are their document roots all the same?
If not, that there no single common command string to use [perhaps one can be built via some additional coding]

In short: "yes"
In longer: you might need to force the renewal (ONCE) to ensure the renewal config gets modified/updated.
[But that is far from an EASY process]

Yes, all sites live in /var/www/html/ like this: /var/www/html/domain.com/httpdocs/

You don't seem to understand my question...
Is there an:
/var/www/html/domain.com/httpdocs/
and:
/var/www/html/other-domain.com/httpdocs/

If you grep the document roots from all your configs, do that all look exactly the same?
[or just mostly the same - with minor differences]

There are 230 websites living under /var/www/html/

Each website is set up like this:

/var/www/html/domain.com/httpdocs/

And each website/domain has its own LetsEncrypt certificate. (so a total of 230 certificates)

And you still don't understand my question.

Sorry I am confused ....

Each of the 230 config files in /etc/apache2/sites-enabled/ has this line for the document root:

DocumentRoot /var/www/html/domain.com/httpdocs

(replacing domain.com above with the actual domain)

All 230 are like this.

Then they are NOT the same; there are 230 different strings / document roots.

Not like that, like this is a better example:

Right, but if I were to run this for each: certbot certonly --webroot -w /var/www/html/domain.com/httpdocs -d domain.com -d www.domain.com

replacing domain.com above with the actual domain I need to renew ...

Using the option to force renewal

Why wouldn't that work?

hmm...
Maybe it's not yet due for renewal.
[nothing needs changing and nothing gets changed]

Yes, but certbot allows me to select option 2 which will force renewal.

Are you going to do this manually or didn't ask for an easy way?

Well, I'm not really finding an easy way to do it so at this point I just want a way that works lol I can just manually renew each one and use webroot in the future

Again, that depends on your tolerance for ease.
There are simple and efficient ways to do this - but they require some elevated coding skills.

  • a script could parse all the cert-names used
    gather the domains for each cert
    gather the names of the renewals that are currently using webroot
    loop through the names that don't use webroot and call individual renewals "with force"
  • a global alias could be used to direct all ...wait I'm repeating myself:

[taken literally from my first post - 2 hours ago]

Yeah, certbot isn't very well equipded to modify its certificates configuration afterwards.. But I'm pretty sure that if you are sure all the DocumentRoot directives in your Apache configuration files are all the same, it wouldn't be that hard to write a tiny little script to update your 230 certbot renewal configuration files from authenticator = apache to authenticator = webroot (a simple single sed command could do that) and add webroot_path = /path/to/webroot. The only "scripting" part there is that you'd need to dynamically enter the domain name.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.