Let's Encrypt, Apache and Varnish - the right way?

My domain is: wearesunday.com

I ran this command: sudo certbot --apache

It produced this output: (all good)

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.3

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Is there a recommended way to have Apache listening on 443 using a LE certificate, proxying to Varnish on port 80 and have that cache content it retrieves from Apache on port 8080?

We have this running, having initially (when setting up the server) generated the SSL certficate using certbot’s Apache plugin. However, now that Varnish is on port 80 certbot’s automated renewal doesn’t work. Does anyone know how I should have set this up so that the renewals do work?

Hi @tobym

that's not a general problem, but --apache can't work.

Your main configuration is good - https://check-your-website.server-daten.de/?q=wearesunday.com

http + /.well-known/acme-challenge is redirected to https, there is the expected result http status 404 - Not Found, that's good.

So find the webroot of your https vHost and use that.

certbot run -a webroot -i apache -w yourHttpsWebroot -d wearesunday.com -d www.wearesunday.com



But your current certificate has only one domain name:

expires in 3 days	wearesunday.com - 1 entry

So your defined www version isn't secure.

So create one certificate with both domain names.

PS: And you have some content errors:

https://wearesunday.com/wp-content/uploads/2015/02/Petplan-listimage.gif 273w, https://wearesunday.com/wp-content/uploads/2015/02/Petplan-listimage.gif 273w, https://wearesunday.com/wp-content/uploads/2015/02/Petplan-listimage.gif 273w

is wrong, one srcset attribute with more then one 273w. Every w definition must be unique.


That was disconcertingly easy - thanks very much, that certainly allowed me to renew the certificate (and apply it to the www subdomain)!

Would anything further need to be done to have automatic renewal work in the future?

Thanks again.

1 Like

What says

certbot certificates

You may have two certificates, the new you use and your old. You can delete the old (certbot delete certname). If your cron job uses renew, that should work.

Recheck your domain with the online tool in 60 - 70 days. Then you see if there is a new certificate created (CT-log part) and used (connection-part).


I only seem to have the new certificate - thanks for your help with this, I really appreciate it!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.