Renewal procedure with standalone server (disabling apache2)

I installed certbot in debian buster.
I am using as server apache2. When I required the first time my certificate I used the standalone method, using my own web server (apache2) and setting up the webroot served by apache.

Then I made a manual config of apache2 for all mysubdomains. So now they don't serve the same webroot. Everything is working correctly.

Now how will auto renewal procedure will work?

I think the best option is, when the certificate must be renewd to stop apache2, use certbot with his own server (so all domains point to the same webroot), then restart apache2.
How edit the configuration of certbot to do this?

My certbot version is 0.31.0.

2 Likes

--webroot is still the best option.
You could manually edit each of the renewal.conf files (tedious).
Or simply renew each cert with the appropriate --webroot via --dry-run
Which should update the renewal.conf for you.

The renewal config files are in folder: /etc/letsencrypt/renewal/

2 Likes

I confirmed installed with --webroot.

There isn't a way to add a pre-renewal and a post-renewal script?

Because if I could execute the standalone server by certbot I don't have to worry about the configuration of virtual servers in apache2.
But if i don't kill apache2 the port 80 isn't free to be used.

1 Like

Why would you want to shutdown your web server to get a cert?
[When you can get the cert while the web server runs]

2 Likes

Because I created an unique certificate for
mydomain.one
dyn.mydomain.one
cloud.mydomain.one
www.mydomain.one

I set set some rewrite rules, www.mydomain.one and cloud.mydomain.one redirict to mydomain.one.
dyn.mydomain.one doesn't redirict.
mydomain.one and dyn.mydomain.one has 2 different webroot. So whent I renew the certificate I think certbot will check all domains.

If I could stop apache2 and run certbot webserver every domain will point to certbot webserver so I don't need to worry about apache2.

Am I doing that in the wrong way?

2 Likes

You can specify a unique webroot for each domain..

If you are going to shutdown the web service, you should run two web servers:
One for HTTP on port 80 (which only redirects everything to HTTPS)
One for HTTPS.
Then you can shutdown the one doing HTTP to run certonly in standalone mode.
[and only reload the HTTPS server whenever a new cert is issued]

2 Likes

Because for renewal is needed listening both 80 and 443?

Is there the possibility to config certbot to exec a pre and post renewal commands?

2 Likes

No, the renewal can work with just on port 80.
If there is a redirect to port 443, it will follow it.

Yes, see this link:
https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
and this section (lower in same page):
image

2 Likes

Ok thank you very much, but I red it and I am still confused :frowning:
So a
certbot renew --dry-run --pre-hook "service apache2 stop" --post-hook "service apache2 start"
Should not solve my problems becase my config file is not edited.

How should I change mu renewal/mydomain.one?
This is mine

 # renew_before_expiry = 30 days
 version = 0.31.0
 archive_dir = /etc/letsencrypt/archive/mydomain.one
 cert = /etc/letsencrypt/live/mydomain.one/cert.pem
 privkey = /etc/letsencrypt/live/mydomain.one/privkey.pem
 chain = /etc/letsencrypt/live/mydomain.one/chain.pem
 fullchain = /etc/letsencrypt/live/mydomain.one/fullchain.pem
 
 # Options used in the renewal process
 [renewalparams]
 account = ***
 authenticator = webroot
 webroot_path = /var/www/html,
 server = https://acme-v02.api.letsencrypt.org/directory
 [[webroot_map]]
 mydomain.one = /var/www/html

I think I should change
authenticator = webroot
to
authenticator = standalone
I think I could delete webroot directives, but how add pre and post hook commands?

Then i could try certbot renew --dry-run to check if my configuration is actually edited.

3 Likes

Once the dry-run is successful (with --standalone), then you can do it for real.
That real one will update the renewal conf file for you (you won't have to change anything).

2 Likes

Is standalone really needed here? Why not webroot?

2 Likes

Preaching to the choir ...

2 Likes

Better yet, just use the apache authenticator. It figures out the webroots by itself.

2 Likes

@marcomg

Please do us a flavor and try the following:
sudo certbot certonly --apache --dry-run

2 Likes

You are recommending Apache (sight unseen) ?

Better start with:
apachectl -S

1 Like

Marco mentioned using apache2 about 48 times so far. I think it's a safe bet. :wink:

Checking the configuration up front may be helpful. Certbot should prompt for domain names though since no -d was specified.

2 Likes

Apache is notorious for ...

2 Likes
  • existing?
  • opening interdimensional gateways?
  • waking Cthulhu?
  • squeezing the Charmin?
  • running with scissors (no matter the configuration)?
2 Likes

https://community.letsencrypt.org/search?q=notorious%20order%3Alatest

2 Likes

I knew your famous phrase. :grin:
Hence my final addition.

2 Likes