How to use the new certbot apache v 0.21

First off, thanks for the amazing work!!

My question: now that you’ve made it, could we get some quick and brief documentation on how to use certbot now with apache?

including how to get the new version of certbot and the apache plugin…
(apt upgrade, for example, does not work in Debian – as mentioned in p4c’s “Question about release and update

and what differences are between using webroot and the apache plugin…

thanks in advance
(if this inquiry is silly, please ignore it :))

peter

PS:
it might be coming up, only the title of the topic does not reflect in 100% that it is about putting together “the various pieces of information in an easily understandable format” … but see:
List of clients affected by disabling TLS-SNI?

Depends on how you've installed certbot in the first place.

Thats unfortunately a Debian "thing". Debian isn't known for their "up to date" repository. A possible solution might be using the certbot-auto (more on that later).

Depends which version of the Apache plugin you're refering to :wink: The webroot plugin purely is an "authenticator": it's only function is to authorise a FQDN, so Let's Encrypt will issue a certificate for it. It uses the http-01 challenge. It will only validate your domain, so certbot can get the certificate. It won't change anything on your webserver.
The apache plugin however, is an authenticator plugin as wel as an installer plugin: it can use a challenge (before version 0.21 the now disabled tls-sni-01 challenge, with 0.21 and newer the http-01challenge) to verify your FQDN (the authenticator part), but it will also modify your webserver configuration, so your site is instantly TLS secured!

As I already said in the Question about release and update - #3 by Osiris thread, you can combine the apache installer with the webroot plugin so you can use the http-01 challenge with certbot version <0.21.

You can read more about the decision on disabeling the tls-sni-01 challenge here: TLS-SNI challenges disabled for most new issuance

You can read more about the solution here, including the use of certbot-auto: Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

3 Likes

hello, thanks!

Depends on how you’ve installed certbot in the first place.

as it is suggested on the certbot website, of course :slight_smile:

in my case: apt install using debian backport

Thats unfortunately a Debian “thing”. Debian isn’t known for their “up to date” repository. A possible solution might be using the certbot-auto (more on that later).

this is a security issue, for them too, sort of...

A possible solution might be using the certbot-auto (more on that later).

that could be the thing :slight_smile:

You can read more about the solution here, including the use of certbot-auto:

THANKS a lot! (I have 10 days till renewal, so, I even have the time!!!) I definitely will

Yes, my recommendation right now for Debian users is to use certbot-auto. I've filed a Certbot issue to update documentation: Update instruction-generator docs to recommend certbot-auto for all Apache / Nginx · Issue #5450 · certbot/certbot · GitHub

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.