Trouble Automatically Renewing With a Script


#1

Hey Everybody!

I have a bit of a unique situation, and could use some help.

For my web app, I have ~30 clients who all get their own branded version of the same website. They point a subdomain at my IP address, and we brand the site based on the incoming URL. I have already manually installed a Cert for each client, and that means that my default-ssl.conf file looks like this:

<VirtualHost $Internal_IP:443> ServerAdmin webmaster@localhost ServerName mainurl.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/mainurl.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/mainurl.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/mainurl.com/chain.pem </VirtualHost>

<VirtualHost $Internal_IP:443> ServerName subdomain.client1.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/subdomain.client1.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.client1.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/subdomain.client1.com/chain.pem </VirtualHost>

<VirtualHost $Internal_IP:443> ServerName subdomain.client2.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/subdomain.client2.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.client2.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/subdomain.client2.com/chain.pem </VirtualHost>

So when I run:

./letsencrypt-auto renew --dry-run --agree-tos

I get a lot of these errors:

WARNING:letsencrypt.cli: Attempting to renew cert from /etc/letsencrypt/renewal/subdomain.client1.com.conf produced an unexpected error: Failed to run Apache plugin non-interactively Missing command line flag or config entry for this setting: We were unable to find a vhost with a ServerName or Address of subdomain.client1.com. Which virtual host would you like to choose? Choices: [ 'test-conf.txt | subdomain.client22.com | HTTPS | ', 'apps.vhost | | | Enabled', '000-default.conf | | | Enabled', 'default-ssl.conf | subdomain.client20.com | HTTPS | Enabled', 'ispconfig.vhost | | HTTPS | Enabled', 'rtodev.com.vhost | Multiple Names | | Enabled'] (The best solution is to add ServerName or ServerAlias entries to the VirtualHost directives of your apache configuration files.). Skipping.

If I were doing this manually, I would choose default-ssl.conf. 2 problems:

  1. There is already a ServerName for every cert I’m trying to renew
  2. I would really like to not have to manually input the answer to this every time I have to renew a cert, but I cannot find the right flag. (Separate question, is there a list of flags for the le-auto script? Like a man page or something?)

#2

Hi @luketheterrible,

I think that is a bug, and I’ve filed this issue in our issue tracker about it.

Most users who are using our apache plugin are allowing it to configure the secure VirtualHosts for them instead of writing the file themselves (manually installing the cert for each client, as you said). So I think that’s why you see this error and other people don’t, but I would still regard it as a bug at least because the software didn’t explain why it was unable to find the appropriate VirtualHost automatically.

If you used a different plugin – webroot comes to mind – you would probably not have to deal with this particular issue for the time being, assuming that webroot is able to work properly with your configuration. That’s because webroot doesn’t need to parse your web server configuration at all in order to work.


#3

Thank you, schoen!

I’ll look into using webroot and will track the ticket on Github.

Worst case scenario, I can just manually update the certs.