Something like this:
sudo certbot certonly --cert-name mydomain.com --webroot -w /var/www/mydomain.com -d "mydomain.com,www.mydomain.com" --deploy-hook "systemctl restart apache2.service"
Then your renewals look like this:
sudo certbot renew
Something like this:
sudo certbot certonly --cert-name mydomain.com --webroot -w /var/www/mydomain.com -d "mydomain.com,www.mydomain.com" --deploy-hook "systemctl restart apache2.service"
Then your renewals look like this:
sudo certbot renew
Cool. Thanks. I just noticed that I am having trouble with DNS rn as I am in the process of trying out a new DNS provider... so I will have to fix that before I can truly try it out. Also I didn't know you could sign two subdomains with the same cert? Is that what that command is doing with the comma separated root domain and www- subdomain?
How do I do that then without using wildcards? I have been getting new certs for every new subdomain and that is kinda tedious... not to mention probably worse.
You're wrong It's 100 hostnames. Doesn't matter if these hostnames are subdomains, apex domains or wildcard domains. The limit is mentioned in the rate limits documentation by the way
If you use --cert-name
name, it will replace the list of (sub)domains on the certificate using the -d
list for the certificate with name. Look at certbot certificates
for your certificate name.
You can also use certbot delete --cert-name
name to blast unneeded certificates correctly (cleanly). This prevents you from needlessly (and dangerously) renewing junk.
A note to the certbot delete
advice above: certbot doesn't check if the certificate is in use somewhere! Don't delete certificates unless you're absolutely sure you don't use them somewhere. If the unwanted certificate is in use, please change the configuration of the service using it first to the certificate you actually do want to use, check the service for correct use of the other certificate and then and only then delete the unwanted certificate.
This is also the case when the certificate was installed by the apache
or nginx
plugin: those plugins won't "roll back" the configuration of Apache or nginx when a certificate is deleted.
Exactly as @Osiris said. Get the correct cert. Install (configure) it. Restart. Then detonate the garbage.
That's always been a gray area to me. I've never really tested it thoroughly. You probably have though.
apachectl -S
is your friend.
Speaking of getting rid of garbage... How can I drop TLS 1.0 and 1.1 support? I tried setting up the following in /etc/apache2/apache2.conf
(because I wanted this to be a global config), but SSL labs still reports it as being supported:
ServerTokens Prod
ServerSignature off
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
Not all of those options are related to SSL I know, but the might help you guys help me figure out my problem.
I also use two IncludeOptional directives here:
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
These are your two best friends for accomplishing this.
General directives can be overwritten in VirtualHosts or sometimes even .htaccess
files.
This configuration file is added by certbot to the VirtualHost it configured your certificate for. It however should have disabled TLSv1.1 and lower according to the current version of that file: https://github.com/certbot/certbot/blob/e570e8ad3230ed5ce24191cde9bbbc6d2a54b630/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
This is why apachectl -S
is your friend. You must sort out the spaghetti and ensure that duplicate or default directives aren't affecting your configuration. Be aware that .htaccess can creep up on you. You shouldn't be using .htaccess anyhow if you can avoid it.
I'm starting to nod my friends. It's 5:45 AM in the Rockies so I must to sleep.
Hm... Okay I am having issues with the new DNS provider so I temporarily switched my nameservers back to the old nameservers and I am gonna figure out what's going on with the new DNS later. But for now, I have got to wait until stuff propogates.
That should have done it but most likely there is another line included elsewhere.
Check for includes like: /etc/letsencrypt/options-ssl-apache.conf
Otherwise try:
grep -Ri sslprotocol /etc/apache2/
[or wherever you web server runs from and/or wherever you store your configs]
I have that includes already in every single vHost on my server. But no matter now. I have broken Apache completely somehow. Idk what I have done. At first I was getting an error with line 14 in /etc/apache2/mods-enabled/alias.conf
. I hadn't even touched that, but I went ahead and looked at it and found that I could comment out the offending line. I don't know what it does, but I didn't think that that was the problem. I was right because now the error is that mod_ssl
couldn't configure at least one certificate and key for codedragon.dev:443.
Thanks so much for giving me that grep command! It helped me find the offending directive in /etc/apache2/mods-available
!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.