I am new to SSL and letsencrypt so I have created a certificate manually in my desktop ubuntu16.04 to understand the process, then uploaded the certificates to my server and all went smoothly. I feel safe doing things this way and it would be awesome if there was a way to automate this, I mean using a desktop or another server to generate all certificates and then upload them in the correct servers without giving root access to certbot. I know this is hard work and maybe not even safe so I will just close my eyes and trust certbot for now ( maybe this should even be a discussion for another thread or not even a thread at all )
So I have decided to go for certbot after understanding the manual process. Once again everything went smoothly. I also tried to --dry-run and --force-renew and certificates were renewed without any problem. Now what I find really weird is that I had to change my Apache config and the certificates still renew when I think they were not supposed to.
My config is the following:
- Nginx passes the requests to Apache
- Apache was serving /var/www/domain.com
- certbot was configured this way: certbot certonly --webroot -w /var/www/domain.com -d domain.com -d www.domain.com --non-interactive
- certbot would try to create /.well-known/etc…
- certbot will try to request this file through http://domain.com/.well-known/etc…
- to create the certificate i have tested this with --dry-run and everything was making sense
- now i have changed Apache to serve /var/www/domain.com/public
- the renew is still working??? how? the /.well-known/ is being created in a place where it is not visible by public… I really don’t get this…
The documentation of lets encrypt is very good in general but I feel that most people will install certificates without any clue of what they are doing. I think it would increase even more the confidence of all users if the idea was explained step by step and try to give more options for cerbot not have root access but still be automated ( but again i don’t know if this is possible ).
And I must say that this initiative is excelent and concratulate the letsencrypt team.