This question is regarding Certbot + Nginx and Apache. I’ll try to make this question concise, but it can be a bit hard, as the issue may not be entirely straightforward
We are a VPS provider and have integrated Certbot in such a way that users can trigger certificate generation from our dashboard. We had no problems for a long time, but now certain issues have cropped up with Apache, which has made us realize that maybe our approach is not the best one.
We are doing things very simply: The user sets one or more domains which get set in the virtual host configuration of their webserver. We then run Certbot against the same domain list and force redirects.
The user can enter any domains they want. Now, this worked just fine and still works perfectly for Nginx, but recently Certbot makes a right mess of the Apache virtual host files if Certbot is run multiple times.
Meaning, if a user has generated certs once and then runs Certbot again, it usually fails with messages that it cannot set up redirects automatically, and frankly turns the virtualhost files into a crazy mess, which may even take the webserver down.
This made us think that maybe we had got off on the wrong foot all along. What we are thinking we might need to do actually is:
-
Roll back (and maybe revoke?) any existing certificates installed on the server, so that certs are cleaned out and the vhost config is in a clean state
-
Then run Certbot normally
“Problem” is that this workflow can get very complex if we need to save information regarding which certificates were generated and build custom logic to do rollbacks. This gets further compounded by the fact that our users have root access to their server, and can have messed around with config files in unexpected ways.
We have been searching forums and Github, but it is hard to get clear and concise information on the recommended workflow here!
We would prefer if Certbot was intelligent enought that we could just issue a rollback/revoke command before generating new certs - or that it was clever enough not to cause the breakage we are seeing (maybe I’m crossing into Github issue territory here, really). This would keep things simple, as in: We would not need to know anything about the current state of the server, but just issue a new cert generation on the basis of the new domain list.
So… In the end the question is simple, really, instead of just setting domains in the main vhost config and running the same command every time against the server:
certbot --webroot-path /var/www/html --authenticator webroot --installer apache|nginx --expand --non-interactive --agree-tos --email=user@mail.com --domains userdomain.com,www.userdomain.com,whatever.io --redirect
Are there other magic commands / workflow we should be using first?