[Letsencrypt-devel] Bug#834989: Using the Apache authenticator

[Peter Eckersley]

Hi Andrey,

If you have Apache listening on :80 and :443, you probably actually want to
use the Apache *authenticator* to obtain all your certs (you don't have to
install them in your Apache config). If you run certbot with "certonly
--apache" what that will do is either use your default :443 vhost if you have
one, or spin up a transient Apache vhost to prove control of the domain by
TLS-SNI-01, obtain the cert, then remove the vhost again.

In all cases, using Apache for authentication but not installation should
leave your Apache configuration in its original state after Certbot is run.

You could edit the renewal conf file to make that happen, or just run:

certbot certonly -n --force-renewal -a apache -i none -d $EMAIL_DOMAINS

to update that certificiate lineage to use the apache authenticator.

Then in the future, use:

certbot certonly -n --apache -d $NEW_EMAIL_DOMAINS

to get certs for things like mail domains that you don't want Apache to
actually respond to.

(I'm including the -n non-interactive flag because it works around this UI
issue: https://github.com/certbot/certbot/issues/3869 )

-- 
Peter Eckersley                            pde at eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993