We don't see mod_md problems here very often. The 503 Service Unavailable sounds like a possible temp problem reaching the Let's Encrypt Server. These are rare and should not repeat except maybe during a known LE outage (which we don't have right now).
Is this the first time you are using mod_md for these domains?
If so, I'd suggest reviewing your mod_md config and perhaps asking on the github for it. I know mod_md is now packaged in Apache but you still might find more expertise there. There are some here who know mod_md but I am not one of them. https://httpd.apache.org/docs/trunk/mod/mod_md.html
I've found that in virtualhosts.conf I can set:
MDomain quantum-equities.comicf.quantum-equities.com
And it does associate the cert with icf, However, when I go to icf.quantum-equities.com it gives that black screen with:
Error code: SSL_ERROR_BAD_CERT_DOMAIN
... and wants me to confirm the exception. Alarming to visitors.
Yes, I see the wrong cert configured for your icf subdomain.
In your cert history I see a cert for your root domain and a www subdomain you got on Apr23 (link here)
Sometimes it takes a while (24H even) for new certs to appear in the public logs.
Can you show the Apache config files for the mod_md settings and the VirtualHost it applies to? Maybe I will see something or someone else with more expertise will see it.
Thanks but that's what I originally had. Got "Service unavailable" at the website. It's supposed to be a valid method if I want a separate cert for the subdomain, just as the above method is valid to have one cert for two domains according to the very good docs.
I think it's more sensible to have one cert for both domain names since they have the same root and I don't want to be a clod and ask for a million certs.
I have found in the logs that there was an error where my DNS registrar did not have www.icf.quantum-equities.com . Maybe that was the problem. I've corrected that at the registrar now, but mod_md has hammered LE so much that I am disabled for at least an hour.
The cert used by any one VirtualHost must have all the names listed for ServerName and for ServerAlias
You can have one cert for all the names in all your VirtualHosts or one cert for each VirtualHost with just their names.
It looks like mod_md with the auto default collects all the ServerAlias names for the cert. I only looked at the example in the Apache docs and not the github so sure if that says your method was OK then that's good.
And, yes, your DNS must have an A and/or AAAA records for each of these names too.
If the 503 was a request to your server that's a different issue probably not related to the cert itself. Often that is a proxy to another server that is failing but other causes possible.
EDIT: The Staging system is helpful when testing once a problem occurs to avoid the rate limits you describe
Yes my above config is correct. The prob was in the httpd error logs -- I had only set icf.quantum-equities.com but not www.icf.quantum-equities.com at my domain registrar, yet called for www. in the virtual-hosts file.
@rg305 yes, it pretty much does everything, requests the initial certs, scans all aliases to include, does updates 30 days before expiry, and so on. You do have to have it set up right, and the docs I linked above will get you there. mod_md is really quite a massive improvement over certbot.
The only caveat is my problem above, and that you must restart Apache weekly in case the cert changes so the new one will take effect. systemd can not do that, so it has to be a cron job:
# crontab -e
0 01 * * Sun /usr/bin/systemctl restart httpd.service
Osiris it just takes a minuscule bit of common sense if your first language is English. Look at it sideways and it's two eyes with a half-smile. (sardonic)