Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are: brisray.com & hmsgambia.org & ihor4x4.com

I ran this command:

certbot certonly --webroot --dry-run -w C:\Apache24\htdocs\brisray -d brisray.com -d www.brisray.com -w C:\Apache24\htdocs\hmsgambia -d hmsgambia.org -d www.hmsgambia.org -w C:\Apache24\htdocs\icehouseoffroad -d ihor4x4.com -d www.ihor4x4.com

It produced this output:

Simulating renewal of an existing certificate for brisray.com and 5 more domains
The dry run was successful.

My web server is (include version): Apache 2.4.54 (Apache Haus Windows version)

The operating system my web server runs on is (include version): Windows 10 Home

My hosting provider, if applicable, is: Me!

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.6.0

I run a home server hosting three sites, all are accessable using www. or or not. I may have made a mistake using Certbot and not one of the specific Windows clients, but here I am.

The automatic PowerShell task script does not work without asking me which program I want to run it in, so I disabled it.

I just wait until I get the email notification that there's 19 days left before the certifcate (a single certificate for the domains) runs out. I stop Apache, run certbot renew, then restart Apache.

I want to automate what I do, preferably without stopping the server. If necessary I can write a PowerShell script to stop the server, run Certbot and then restart the server. I could also write a script to see if the certificates are close to running out.

Before I run it without --dry-run, I have a few questions about using certbot certonly --webroot ...

1. Will it automatically check if the current certificate is close to its expiry date?

2. Am I going to get 1 certificate (as I currently do) or get 3 or 6 separate ones?

3. Apache currently points to the certbot/live folder symlinks. When I get the new certificates, will Apache need to be restarted to make use of them?

4. I recently upgraded from Certbot 1.32.0 to 2.6.0 and now it's asking me if I want to change from RSA to ECDSA. I take it this is a good thing, but will it make a difference to Apache and my installation?

Welcome to the community @brisray Terrific first post.

1. You run certbot renew on a schedule to renew all your certs. It checks for expiry and by default renews 30 days before expiry. And, certbot renew --dry-run tests it
2. Yes, 1 cert for each certbot command
3. Yes, Apache needs at least a graceful reload (not a restart) to get fresh cert
4. ECDSA is generally a good thing unless you have specific requirements for an RSA cert

Adding on to #3, you could use the certbot option --deploy-hook to run the command to reload Apache. If you use this option when you request the cert (certonly webroot) it will store that in the renewal conf file for use by the certbot renew command

No. You run certbot renew frequently and it will renew as needed (per my prior post). The expiry warning emails are sent on a 'best efforts' basis and should not be relied as a renewal trigger.

And, do not stop Apache before a webroot request. Webroot relies on an active web server to work.

I ran a whole series of commands with --run-only to see what would happen. I can't run the renew or standalone commands without stopping the server. Certbot on Windows, at least mine, can't run those because it needs port 80 free.

I'm just being a Nervouse Nelly, but I'd like to know what to expect when it's time to renew this certificate using the command line that seems to work.

The --standalone is very different than the command you showed in your first post.

Standalone does indeed use port 80 to satisfy the challenge. The certonly webroot command you showed relies on an active web server so Apache should keep running.

The renew only acts on cert renewal files in the \certbot\renewal folder. If you at one time got a cert using standalone then the renew would act on that. But, once you get a cert with webroot then leave Apache running.

Check all your configured certs with certbot certificates. Maybe you have a stray that used standalone in a renewal config file? Use certbot delete --cert-name (name) to remove it but only once you are not using any live cert in apache.

Thank you for that Mike.

I tried all sorts of commands before asking for help, most I didn't mention because they didn't work. The command line I posted is the one that didn't come up with errors with the server running. Here's what I tried and the results I got.

Here's the text file I made for myself:

From User Guide — Certbot 2.6.0 documentation
All run with the -v switch to get details.

1. certbot renew --dry-run

Processing C:\Certbot\renewal\brisray.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Simulating renewal of an existing certificate for brisray.com and 5 more domains
Performing the following challenges:
http-01 challenge for brisray.com
http-01 challenge for hmsgambia.org
http-01 challenge for ihor4x4.com
http-01 challenge for www.brisray.com
http-01 challenge for www.hmsgambia.org
http-01 challenge for www.ihor4x4.com
Cleaning up challenges
Failed to renew certificate brisray.com with error: Problem binding to port 80: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions

All simulated renewals failed. The following certificates could not be renewed:
C:\Certbot\live\brisray.com\fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

or

2. certbot --standalone --dry-run

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Users\brisr\AppData\Local\Temp\certbot-log-fao4d9g7\log or re-run Certbot with -v for more details.

or

3. certbot renew --webroot --dry-run

Processing C:\Certbot\renewal\brisray.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for brisray.com and 5 more domains
Performing the following challenges:
http-01 challenge for brisray.com
http-01 challenge for hmsgambia.org
http-01 challenge for ihor4x4.com
http-01 challenge for www.brisray.com
http-01 challenge for www.hmsgambia.org
http-01 challenge for www.ihor4x4.com
Cleaning up challenges
Failed to renew certificate brisray.com with error: Missing command line flag or config entry for this setting:
Input the webroot for brisray.com:

All simulated renewals failed. The following certificates could not be renewed:
C:\Certbot\live\brisray.com\fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

or

4. certbot --standalone

With the standalone plugin, you probably want to use the "certonly" command, eg:

certbot certonly --standalone

(Alternatively, add a --installer flag. See User Guide — Certbot 2.6.0 documentation
and "--help plugins" for more information.)

or

5. certbot renew --apache --dry-run

Processing C:\Certbot\renewal\brisray.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Failed to renew certificate brisray.com with error: The requested apache plugin does not appear to be installed

All simulated renewals failed. The following certificates could not be renewed:
C:\Certbot\live\brisray.com\fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

or

6. certbot --standalone --apache --dry-run

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

or

7. certbot certonly --webroot --apache --dry-run

Too many flags setting configurators/installers/authenticators 'apache' -> 'webroot'

or

8. certbot certonly --webroot --dry-run

Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): brisray.com www.brisray.com hmsgambia.org www.hmsgambia.org ihor4x4.com www.ihor4x4.com
Simulating renewal of an existing certificate for brisray.com and 5 more domains
Input the webroot for brisray.com: (Enter 'c' to cancel): C:\Apache24\htdocs\brisray

Select the webroot for hmsgambia.org:

1: Enter a new webroot
2: C:\Apache24\htdocs\brisray

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for hmsgambia.org: (Enter 'c' to cancel): C:\Apache24\htdocs\hmsgambia

Select the webroot for ihor4x4.com:

1: Enter a new webroot
2: C:\Apache24\htdocs\hmsgambia
3: C:\Apache24\htdocs\brisray

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Input the webroot for ihor4x4.com: (Enter 'c' to cancel): C:\Apache24\htdocs\icehouseoffroad

Select the webroot for www.brisray.com:

1: Enter a new webroot
2: C:\Apache24\htdocs\icehouseoffroad
3: C:\Apache24\htdocs\hmsgambia
4: C:\Apache24\htdocs\brisray

Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4

Select the webroot for www.hmsgambia.org:

1: Enter a new webroot
2: C:\Apache24\htdocs\brisray
3: C:\Apache24\htdocs\icehouseoffroad
4: C:\Apache24\htdocs\hmsgambia

Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4

Select the webroot for www.ihor4x4.com:

1: Enter a new webroot
2: C:\Apache24\htdocs\hmsgambia
3: C:\Apache24\htdocs\brisray
4: C:\Apache24\htdocs\icehouseoffroad

Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4
The dry run was successful.

The above works without stopping Apache but am I going to get 1 SAN certificate or 6 separate ones?
Does it check if the certifcates need renewing?
Does Apache need restarting to get the new certificates?

So try this to get everything on one line:

7. certbot certonly --webroot --dry-run -w C:\Apache24\htdocs\brisray -d brisray.com -d www.brisray.com -w C:\Apache24\htdocs\hmsgambia -d hmsgambia.org -d www.hmsgambia.org -w C:\Apache24\htdocs\icehouseoffroad -d ihor4x4.com -d www.ihor4x4.com

It works!

Simulating renewal of an existing certificate for brisray.com and 5 more domains
The dry run was successful.

As noted the --standalone option requires the use of port 80. You previously got a cert using that option so the renew is trying it again. You can correct this by using your command from post #1 for this same cert. Once it is successful it will overwrite the renewal conf file with these new options so that certbot renew works with apache running.

Yes, --standalone has been well described in this thread. Is there something you don't understand?

The --webroot options requires a --webroot-path (or -w) value.

Again, standalone

5. You cannot use --apache with --dry-run (that plug-in does not support --dry-run)
6. You cannot mix different authenticators. You tried --standalone and --apache
7. Same as #6 you mixed --webroot and --apache
8. Yes, that's the command you used in post #1 with all options on the command line.

Note: the Windows version of Certbot does not include support for the --apache plug-in anyway.

RECAP: Running the command in your first post without --dry-run will get a new cert using the --webroot method. You will need to graceful reload Apache after. The renewal config file will be updated with this method to allow the certbot renew to work. Test that after with certbot renew --dry-run

You might benefit from spending some time with the Certbot docs. Or, switching to a friendlier ACME client. Certify The Web is a gui designed for Windows and many people find it easy to use.

The recap is great. My home "Server in the Cellar" has been running for exactly 20 years on June 7, so it's not like I'm not used to configuring things and writing scripts. But I only started using SSL certificates last October and only got round to thinking about automating it yesterday.

This is what I came up with:

When Certbot is installed it creates a task in the scheduler to look for new certificates and download any new ones twice a day. The command in Task Manager is:

Powershell.exe -NoProfile -WindowStyle Hidden -Command "certbot renew"

The command does not work. Whenever it runs, Windows pops up a notification asking what to do with the file:

One way to get this to work properly is to stop Apache, run certbot renew, then restart the server.

Here's a PowerShell script that will do that:

New-Variable -Name serviceName -Value 'Apache2.4' -Option Constant
Write-Output "Stopping Apache"
Stop-Service -name $serviceName
$service = Get-Service -Name $serviceName
$service.WaitForStatus('Stopped')
Write-Output "Apache is stopped"

(The bolded lines hre are just comments in what I wrote)

The Lines below work and waits for certbot to finsh before restarting Apache

Uncomment any 1 of the 3 following lines - they all work

certbot.exe renew

Invoke-expression -command "certbot.exe renew"

Start-Process -FilePath "certbot.exe" -ArgumentList "renew" -wait

Write-Output "Apache is restarting"
Start-Service -Name $serviceName
$service.WaitForStatus('Running')
Write-Output "Apache has restarted"
Exit

If you prefer, here's a plain batch file that works. It works because net waits before the service is stopped before carrying on to the next line.

net stop Apache2.4
certbot.exe renew
net start Apache2.4

The PowerShell script or batch file must be run as an administrator to work. You may need to change the name of the service to be stopped, for example from Apache2.4 to httpd

As a reminder the certbot commands should all be on one line, and the scripts need to be run with administrator privileges. Another method that works is to use certbot certonly --webroot

Unlike the previous script where there were three command choices to run Certbot, there is only one method I found that worked for this:

Start-Process -FilePath "certbot.exe" -ArgumentList "certonly --webroot -w C:\Apache24\htdocs\brisray -d brisray.com -d www.brisray.com -w C:\Apache24\htdocs\hmsgambia -d hmsgambia.org -d www.hmsgambia.org -w C:\Apache24\htdocs\icehouseoffroad -d ihor4x4.com -d www.ihor4x4.com" -wait
Restart-Service -Name Apache2.4
Exit

In the above version, the root of each domain (-w) has to be given along with the domains (-d) for that root. It also does not appear to check if the certificates are near their expiry date.

If you prefer, here's a plain batch file that works. There is no net restart command, so net stop is followed by a net restart.

certbot certonly --webroot -w C:\Apache24\htdocs\brisray -d brisray.com -d www.brisray.com -w C:\Apache24\htdocs\hmsgambia -d hmsgambia.org -d www.hmsgambia.org -w C:\Apache24\htdocs\icehouseoffroad -d ihor4x4.com -d www.ihor4x4.com
net stop Apache2.4
net start Apache2.4

Graceful stopping and restarting on Windows, is not the same as on a Linux machine. Some say using the -k switch has led to Apache hanging while others say that versions compiled for Windows always do things gracefully depending on where the version came from.

Did you happen to install Apache after you had already obtained a cert via certbot?
OR
Did you have to shutdown Apache for certbot to get a cert initially?

The server had been running for years but it was only recently I thought I should do something about HTTPS.

I had to stop the Apache service, open a command prompt as administrator and run certbot certonly --standalone

Then I just followed the prompts.

Everything I've done for this so far such as altering the DNS records, serving HTTP requests over HTTPS and the rest I've put on Installing SSL Certifcates in Apache on Windows"

It might help someone else, it will certainly help me if I have to do this again.

Certbot and Apache can't both use HTTP port 80 at the same time.
You have choices:

• stop Apache to run certbot --standalone [NOT IDEAL]
• don't use Apache for HTTP [NOT IDEAL]
• use Apache as an HTTP proxy for the challenge requests to certbot [GOOD]
  this requires setting certbot to use some other [unused] port [above 1024] and proxying to that port

Do you know how to use Apache as a "reverse proxy"?
If not, it is worth the learn.

Again, using --standalone is not recommended when you have an available web server. It is far better to use --webroot so that you do not have to stop Apache

There's lot of things I should be doing to and for my little home server.

You are absolutely right Mike I shouldn't have used --standalone to get the certificates in the first place. There are better ways of doing it, but it was what worked for me after skimming through the documentation.

It was only after starting to use it that I realized Certbot wasn't really made for Apache on Windows. But support is getting better, it's quick and it works.

@rg305 is also right. I should be using Docker containers, use a reverse proxy, CloudFlare and all the rest, bit I doubt I'll ever get round to that. It's the standard answer to almost everything on Reddit's r/selfhosted and why I stopped reading it.

What I really should have done is pay for hosting somewhere and let them worry about installation, SSL certificates, security, DNS, load balancing, proxies and all the rest. It would even probably been cheaper than paying for the electricty I've used keeping the various computers I've used as servers going 24/7.

What I was hoping for was some way for me to renew the certificate without having to restart Apache using Certbot. Renew can't do it because Certbot needs access to port 80, and from Mikes first reply, it seems certonly --webroot can't do it either because it needs to register the new cetificates.

I'll have to do some more reading. There doesn't seem a way for Apache on Windows to do a reload without a restart. What I've read on places like ServerFault and SitePoint seems to end up with "on Linux you can...." Interesting but useless to me.

I hope I don't come across as being rude because I really do appreciate your time and sharing your knowledge.

You have completely misunderstood what I said.

If you used the command in your first post without --dry-run it will obtain a fresh cert and update the renewal config file with the --webroot option. Subsequent certbot renew will use that same --webroot option going forward.

This does not require Apache to be stopped/started as you have to with --standalone.

I don't know how else to describe this. It's a shame that you may even propagate this faulty understanding in that blog of yours you provided a link for in this thread.

Yes, I completely misunderstood what you orginally said, and I have to thank you for your patience. That really is good of you.

The page is now being rewritten with my new understanding.

You are very welcome. Let us know if you'd like a critique of your blog when it's finished.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.