I installed certbot in debian buster.
I am using as server apache2. When I required the first time my certificate I used the standalone method, using my own web server (apache2) and setting up the webroot served by apache.
Then I made a manual config of apache2 for all mysubdomains. So now they don't serve the same webroot. Everything is working correctly.
Now how will auto renewal procedure will work?
I think the best option is, when the certificate must be renewd to stop apache2, use certbot with his own server (so all domains point to the same webroot), then restart apache2.
How edit the configuration of certbot to do this?
--webroot is still the best option.
You could manually edit each of the renewal.conf files (tedious).
Or simply renew each cert with the appropriate --webroot via --dry-run
Which should update the renewal.conf for you.
The renewal config files are in folder: /etc/letsencrypt/renewal/
There isn't a way to add a pre-renewal and a post-renewal script?
Because if I could execute the standalone server by certbot I don't have to worry about the configuration of virtual servers in apache2.
But if i don't kill apache2 the port 80 isn't free to be used.
Because I created an unique certificate for
mydomain.one
dyn.mydomain.one
cloud.mydomain.one
www.mydomain.one
I set set some rewrite rules, www.mydomain.one and cloud.mydomain.one redirict to mydomain.one.
dyn.mydomain.one doesn't redirict.
mydomain.one and dyn.mydomain.one has 2 different webroot. So whent I renew the certificate I think certbot will check all domains.
If I could stop apache2 and run certbot webserver every domain will point to certbot webserver so I don't need to worry about apache2.
You can specify a unique webroot for each domain..
If you are going to shutdown the web service, you should run two web servers:
One for HTTP on port 80 (which only redirects everything to HTTPS)
One for HTTPS.
Then you can shutdown the one doing HTTP to run certonly in standalone mode.
[and only reload the HTTPS server whenever a new cert is issued]
Ok thank you very much, but I red it and I am still confused
So a certbot renew --dry-run --pre-hook "service apache2 stop" --post-hook "service apache2 start"
Should not solve my problems becase my config file is not edited.
How should I change mu renewal/mydomain.one?
This is mine
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mydomain.one
cert = /etc/letsencrypt/live/mydomain.one/cert.pem
privkey = /etc/letsencrypt/live/mydomain.one/privkey.pem
chain = /etc/letsencrypt/live/mydomain.one/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.one/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ***
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
mydomain.one = /var/www/html
I think I should change
authenticator = webroot
to
authenticator = standalone
I think I could delete webroot directives, but how add pre and post hook commands?
Then i could try certbot renew --dry-run to check if my configuration is actually edited.
Once the dry-run is successful (with --standalone), then you can do it for real.
That real one will update the renewal conf file for you (you won't have to change anything).