I don't remember which command I used to issue a new certificate: certbot --apache OR certbot --auto for some I used certbot certonly --manual -d domainname.com -d www.domainname.com --preferred-challenges="dns"
and for some certbot certonly --webroot-path /var/www/public_html/domainname.com/public --renew-by-default --email myemail@gmail.com --text --agree-tos -d domainname.com -d www.domainname.com --preferred-challenges http --preferred-challenges="dns"
It's a little messy, I know. If I knew the best way to purge all and go for one updated solution I'd go for it. I read quite a few topics on your forum similar to this one. I read that http1 challenges are deprecated. The topic is old. I CAN'T ADD A WILDCARD REDIRECT to Cloudflare because I am a free user and all the page rules I can apply are already busy for all the domain names.
MY GOAL IS: To be able to auto renew all the existing certificates using a single command without getting errors when I have the orange cloud active on cloudflare. I can't manually go and deactivate it for every domain. It's just a pain to do so. I'll be happy to keep both let's encrypt and cloudflare certificate while using "FULL STRICT" on Cloudflare. I'm looking for a 2021st updated solution. Please help. Thanks in advance!
My web server is (Apache latest version)
The operating system my web server runs on is (Debian 9 64-bit)
You might not be able to add a wildcard redirect but you should be able to obtain a wildcard cert via DNS authentication. [Both of your example commands are using DNS challenges]
So it might not alleviate the free limit but it would make cert assignments really easy if you only have one cert.
Given: a one entry wildcard would only cover subdomains from that one domain.
[but the SAN field can hold 100 entries - enough for 50 root domains and the 50 matching wildcards]
Thanks to both of you for your suggestions and immediate answers. What should I do to purge all the existing certificates (and do I have to) and then what are the steps to go trough to achieve the soultion @rg305 suggests? Thanks! Am I looking for the right syntax to list all my domain names in a single command? Or is there a smarter solution I'm not seeing.
The DNS Challanges work perfectly for me but it's not an option to write 50 commands.
Thanks for this suggestion but I'm trying to avoid installing any 3rd party software on the web server. I love let's encrypt. I can't say the same for Cloudflare. I just use them because they are a free solution atm.
to be automate dns challenge you need to give client an api to update it
keep mind you already agree to cloudflare to be sit in the middle seeing all traffic in plaintext (don't send plainetext password by cloudflare!) I'd just use cloudflare cert it give from panel if you trust cloudflare enought for that.
I feel like I'm back to the same loop. Can you please suggest the exact steps to go trough to achieve what I want in point 4. of the main thread? Thanks! @orangepizza As I already said it's one thing to send Cloudflare my data directly. It's another thing to send it encrypted.
I think this is partly to blame for the confusion.
HTTP authentication has not been deprecated.
[HTTPS was but that is another story]
If you want a wildcard you will need to use DNS authenticated challenges.
If you want to automate the DNS challenges, you will need to use a DNS API plugin.
If you can't, or don't want to, use DNS authentication, then you will have to use HTTP.
HTTP through CloudFlare is a bit tricky but possible and can be easily automated.
And one last option is to also use CloudFlare to encrypt the connection form them to your server.
Which was mentioned above.
you don't send E2E encrypted data to user, CF will sit in the middle and decrypt the traffic. (that's only why to them to see client request and send from cache if they have one.
So are you saying that the HTTP is the way to go? If so where can I read how to configure and automated it for my case?
What exactly do you mean by "DNS API plugin" the one from Cloudflare?
In order to automate the required TXT record creation (to pass the DNS authentication request), you must use an ACME client that supports DNS API and use a DNS service provider that supports updates to your DNS zone via that API.
Or you will have to do that manually 50 times every 60 days - no deal!
It may get confusing because CloudFlare can be your DNS service provider (or not).
And CloudFlare can also be your CDN (or not).
Ok. I think I understand. I have different places I bought the domains from but I'm using Cloudflare as a DNS provider and a CDN at the same time. So where do I get that plugin to solve my eternal pain?
My only concern is that it's updated 3 years ago. If this is the so called "plugin" I think it'll do. Please if anyone has a similar issue to mine join the topic and share your solution. Thanks!