First off, thanks for the amazing work!!
My question: now that you’ve made it, could we get some quick and brief documentation on how to use certbot now with apache?
including how to get the new version of certbot and the apache plugin…
(apt upgrade, for example, does not work in Debian – as mentioned in p4c’s “Question about release and update”
and what differences are between using webroot and the apache plugin…
thanks in advance
(if this inquiry is silly, please ignore it :))
it might be coming up, only the title of the topic does not reflect in 100% that it is about putting together “the various pieces of information in an easily understandable format” … but see:
List of clients affected by disabling TLS-SNI?
Depends on how you’ve installed
certbot in the first place.
Thats unfortunately a Debian “thing”. Debian isn’t known for their “up to date” repository. A possible solution might be using the
certbot-auto (more on that later).
Depends which version of the Apache plugin you’re refering to The
webroot plugin purely is an “authenticator”: it’s only function is to authorise a FQDN, so Let’s Encrypt will issue a certificate for it. It uses the
http-01 challenge. It will only validate your domain, so
certbot can get the certificate. It won’t change anything on your webserver.
apache plugin however, is an authenticator plugin as wel as an installer plugin: it can use a challenge (before version 0.21 the now disabled
tls-sni-01 challenge, with 0.21 and newer the
http-01challenge) to verify your FQDN (the authenticator part), but it will also modify your webserver configuration, so your site is instantly TLS secured!
As I already said in the Question about release and update thread, you can combine the apache installer with the webroot plugin so you can use the
http-01 challenge with
certbot version <0.21.
You can read more about the decision on disabeling the
tls-sni-01 challenge here: TLS-SNI challenges disabled for most new issuance
You can read more about the solution here, including the use of
certbot-auto: Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Depends on how you’ve installed certbot in the first place.
as it is suggested on the certbot website, of course
in my case: apt install using debian backport
Thats unfortunately a Debian “thing”. Debian isn’t known for their “up to date” repository. A possible solution might be using the certbot-auto (more on that later).
this is a security issue, for them too, sort of…
A possible solution might be using the certbot-auto (more on that later).
that could be the thing
You can read more about the solution here, including the use of certbot-auto:
THANKS a lot! (I have 10 days till renewal, so, I even have the time!!!) I definitely will
Yes, my recommendation right now for Debian users is to use
certbot-auto. I’ve filed a Certbot issue to update documentation: https://github.com/certbot/certbot/issues/5450
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.