Home / server / Questions / 1046245
Accepted
usr-local-ΕΨΗΕΛΩΝ
Asked: 2020-12-16 03:43:40 +0800 CST

Certbot semi-manual operation

  • 772

I want to ask if it's possible to use Certbot for a semi-automated setup where the underlying infrastructure is controlled by me and not by Certbot.

I understand that Certbot will communicate with Let's Encrypt to issue a challenge, which is basically a token that Certbot will need to find at my IP address or my DNS.

I have full control of Apache server, but it is a very customized multi-hosting setup (SNI required!) and I don't want Certbot to mess up with my Apache configuration, neither to run as root. We will return to sudoers later.

I have already set up the hosting space for mta-sts.example.org, as I am implementing Mail Transfer Agent's Strict Transport Security

I have told Apache, using a macro, that /home/djechelon/srv/www/domains/mta-sts.example.org is my workspace

  • htdocs: content served over HTTP
  • htdocs-secure: content served over HTTPS
  • logs: Apache VHost logs
  • ssl: this is where mta-sts.example.org.{key,crt,ca_bundle?} exist

I would like to tell Certbot to do the following for me

  1. Obtain the challenge from LE
  2. Write the challenge to appropriate file under /home/djechelon/..../htdocs, and Apache is ready to serve it
  3. Ask LE to validate challenge, because Apache is ready to serve the challenge
  4. Write certificate to /home/djechelon/..../ssl/. If LE provides no ca_bundle no problem, it's optional on my place
  5. Issue Apache reload (there will likely be a sudoers setting soon)

I understood that I need to use the webroot plugin in this case, but I was struggling to find command line help for all options, including where to store the files and the certificates.

The documentation assumes that the process is interactive, so I would have to copy the challenge file manually and ask Certbot to contact LE for domain validation.

I believe that there should be a simple way to run the simple script above, which runs under the assumption that the overall IT infrastructure exists (e.g. you really want to run your own server software) and is well configured.

Any help?

[Edit] I managed to invoke this interactively for now

 certbot certonly --webroot -d mta-sts.example.org --preferred-challenges http --work-dir /home/djechelon/etc/letsencrypt --logs-dir /home/djechelon/letsencrypt-logs --config-dir /home/djechelon/etc/letsencrypt

Which asked me for the webroot dir and the email (something I would have loved to pass as a parameter for future renewals). So now the question may become "how do I rerun this in the future non interactively with cron?"

certbot

2 Answers

  1. Best Answer

    I wouldn't store the certificates under the user's home directory (/home/djechelon/..../ssl/) for the reason that if the user removes the certificate files, Apache fails to start. I agree with your reasoning that it's better if Certbot doesn't mess with the web server configuration, but currently it seems that you are effectually causing the same problem you are trying to avoid, and thus I'm trying to warn you.

    There's no reason to use the home directory for HTTP-01 challenges nor log files, and it's also possible to use a static configuration with Apache, using the Certbot in the certonly mode as you already do.

    My solution for automatic renewals is using the same working directory for all the HTTP-01 challenges (from /etc/letsencrypt/renewal/example.com.conf):

    # renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
account = 0123456789abcdef0123456789abcdef
rsa_key_size = 4096
[[webroot_map]]
example.com = /var/www/letsencrypt
www.example.com = /var/www/letsencrypt

    This way it's possible to add a global Alias that handles all the challenges, but it's also possible to put it only to the virtual hosts where it's required:

    <IfModule alias_module>
    Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
</IfModule>
    • 1

  2. Probably the interactive mode is to be run only once. Certbot remembers where certificates are stored, and this is always under the work dir.

    Not that bad. My solution was to replace /home/djechelon/srv/..../ssl/* with symlinks

    In short:

    1. Set up the virtual hosting as usual
    2. Use the command to obtain a new certificate for the new website
    3. Reload apache (I need this for setting up the virtual host)
    4. On renewal, use just certbot renew with proper work dir to run as non-root

    Issuance command

     certbot certonly --webroot -d mta-sts.example.org --preferred-challenges http --work-dir [non-root-workdir --logs-dir [non-root-workdir] --config-dir [non-root-workdir]

    Renewal command (can be cron-ned perhaps)

     certbot renew --work-dir [non-root-workdir --logs-dir [non-root-workdir] --config-dir [non-root-workdir]

    On renewal, of course, one should schedule an Apache reload at very minimum

    • 0