What config does certbot handle?


#1

We run a server with Ubuntu 14.04 running in an LXContainer. We have a FPM-Suexec setup with configuration split up into individual config files for each user, all in /etc/apache2/sites-available . Until now, we used start.com certificates and did everything manually.

The keys are already there, also in this directory, as are the existing certs and intermediary files.

Now, the instructions just say that we have to download and run the installer script and then fire up certbot, but it does not explain, what certbot is actually going to do and what kind of config it can handle. I am a bit reluctant to just give it a try, as this is going to affect a number of users.

So can anyone point me to some technical documentation explaining what kind of setup certbot expects and what it will do?

Thank you very much in advance!

Y


#2

certbot is generally capable of parsing your existing configuration files and changing them as needed, including configurations where SSL is already enabled. certbot would change the relevant SSL directives (such as the path to keys and certificates) automatically.

There are certain areas where the apache plugin is stricter than apache’s own configuration parser, or where it behaves slightly differently, or doesn’t understand the configuration. There’s no documentation for these cases as such, but you can get a general idea of what it can and cannot handle by looking at the test cases here (the “failing” and “passing” subdirectories contain sample configuration files). Generally, if your configuration doesn’t stray too far from what you’d see on a fresh apache installation with SSL on a mainstream Linux distribution, you’ll be fine.

That said, the apache plugin is still beta-quality software, so I would personally not run it against a production server without further testing. Your options range from setting up a second server and gradually migrating domain by domain to using one of the certbot plugins that do not modify your apache configuration, such as the webroot plugin, where you’d remain in charge of enabling and configuring SSL.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.