Something like this:
sudo certbot certonly --cert-name mydomain.com --webroot -w /var/www/mydomain.com -d "mydomain.com,www.mydomain.com" --deploy-hook "systemctl restart apache2.service"
Then your renewals look like this:
sudo certbot renew
3 Likes
Cool. Thanks. I just noticed that I am having trouble with DNS rn as I am in the process of trying out a new DNS provider... so I will have to fix that before I can truly try it out. Also I didn't know you could sign two subdomains with the same cert? Is that what that command is doing with the comma separated root domain and www- subdomain?
2 Likes
2 Likes
How do I do that then without using wildcards? I have been getting new certs for every new subdomain and that is kinda tedious... not to mention probably worse.
2 Likes
You're wrong 
It's 100 hostnames. Doesn't matter if these hostnames are subdomains, apex domains or wildcard domains. The limit is mentioned in the rate limits documentation by the way 
4 Likes
If you use --cert-name name, it will replace the list of (sub)domains on the certificate using the -d list for the certificate with name. Look at certbot certificates for your certificate name.
You can also use certbot delete --cert-name name to blast unneeded certificates correctly (cleanly). This prevents you from needlessly (and dangerously) renewing junk.
2 Likes
A note to the certbot delete advice above: certbot doesn't check if the certificate is in use somewhere! Don't delete certificates unless you're absolutely sure you don't use them somewhere. If the unwanted certificate is in use, please change the configuration of the service using it first to the certificate you actually do want to use, check the service for correct use of the other certificate and then and only then delete the unwanted certificate.
This is also the case when the certificate was installed by the apache or nginx plugin: those plugins won't "roll back" the configuration of Apache or nginx when a certificate is deleted.
3 Likes
Exactly as @Osiris said. Get the correct cert. Install (configure) it. Restart. Then detonate the garbage. 
2 Likes
That's always been a gray area to me. I've never really tested it thoroughly. You probably have though.
apachectl -S is your friend.
2 Likes
Speaking of getting rid of garbage... How can I drop TLS 1.0 and 1.1 support? I tried setting up the following in /etc/apache2/apache2.conf (because I wanted this to be a global config), but SSL labs still reports it as being supported:
ServerTokens Prod
ServerSignature off
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
Not all of those options are related to SSL I know, but the might help you guys help me figure out my problem.
2 Likes
I also use two IncludeOptional directives here:
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
2 Likes
These are your two best friends for accomplishing this.
1 Like
General directives can be overwritten in VirtualHosts or sometimes even .htaccess files.
This configuration file is added by certbot to the VirtualHost it configured your certificate for. It however should have disabled TLSv1.1 and lower according to the current version of that file: https://github.com/certbot/certbot/blob/e570e8ad3230ed5ce24191cde9bbbc6d2a54b630/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
2 Likes
This is why apachectl -S is your friend. You must sort out the spaghetti and ensure that duplicate or default directives aren't affecting your configuration. Be aware that .htaccess can creep up on you. You shouldn't be using .htaccess anyhow if you can avoid it.
1 Like
I'm starting to nod my friends. It's 5:45 AM in the Rockies so I must to sleep. 
1 Like
Hm... Okay I am having issues with the new DNS provider so I temporarily switched my nameservers back to the old nameservers and I am gonna figure out what's going on with the new DNS later. But for now, I have got to wait until stuff propogates.
2 Likes
That should have done it but most likely there is another line included elsewhere.
Check for includes like: /etc/letsencrypt/options-ssl-apache.conf
Otherwise try:
grep -Ri sslprotocol /etc/apache2/
[or wherever you web server runs from and/or wherever you store your configs]
3 Likes
I have that includes already in every single vHost on my server. But no matter now. I have broken Apache completely somehow. Idk what I have done. At first I was getting an error with line 14 in /etc/apache2/mods-enabled/alias.conf. I hadn't even touched that, but I went ahead and looked at it and found that I could comment out the offending line. I don't know what it does, but I didn't think that that was the problem. I was right because now the error is that mod_ssl couldn't configure at least one certificate and key for codedragon.dev:443.
2 Likes
Thanks so much for giving me that grep command! It helped me find the offending directive in /etc/apache2/mods-available!
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.