Skip to main content

Certbot: Issue and install public trust certificate for Apache using HTTP-01 domain validation

Before you begin

To install the certificate, ensure you have the following ACME details:

  • ACME directory URL:

    For hosted Trust Lifecycle Manager accounts, use the region-specific URL (See Inbound IP addresses and URLs by environment and region).

    Base URL:https://one.digicert.com/mpki/api/v1/acme/v2/directory>.

    Region-specific URLs:

    EU region:https://one.nl.digicert.com orhttps://one.ch.digicert.com
    Japan region:https://one.digicert.co.jp
    US region:https://one.us.digicert.com

  • The external account binding (EAB) credentials from DigiCert:

    • The EAB key identifier (KID). For DigiCert​​®​​ Trust Lifecycle Manager. accounts, use certificate profile.

      Sample KID:zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g

    • The external account binding HMAC key of the certificate profile .

      Sample HMAC: RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnR

Issue and install the certificate using HTTP-01 method

  1. Verify your web server has port 80 open before you run the command.

  2. Copy the following command to the command-line prompt:

    sudo certbot --apache --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges http

  4. To request HTTP-01 validation, use --preferred-challenges http option.

  5. To manually add an HTTP record to your domain, use the --manual option to complete the validation challenge.

    When run in manual mode, the command is interactive: Certbot provides the HTTP validation parameters to decide how the validation gets carried out. For example:

    How would you like to authenticate with the ACME CA?
---------------------------------------------------------------------------
1. Apache Web Server plugin (apache)
2. Obtain certificates using a DNS TXT record (if you are using AWS Route 53 for DNS). (dns-route53)
3. Spin up a temporary webserver (standalone)
4. Place files in webroot directory (webroot)
---------------------------------------------------------------------------
Select the appropriate number [1-4] then [enter] (press 'c' to cancel):

  6. Select Option 1 in the menu to let Certbot automatically set up your Apache web server for HTTP validation.

    Certbot updates your virtual host configuration for port 80 with the necessary settings.

    Alias /.well-known/acme-challenge/ "/var/www/acme/acme-challenge/"
RewriteRule "^/.well-known/acme-challenge/" - [L]
<Directory "/var/www/acme/acme-challenge/"> 
    Options Indexes MultiViews 
    AllowOverride None 
    Order allow,deny 
</Directory>

  7. To complete the process, run the command.

What's next

The certificate is validated, issued, and installed successfully.

The domains are validated, and the certificate is issued and installed on your Apache web server.

To renew, reissue, or duplicate the certificate, see Certbot: Renew, reissue, or duplicate certificate using ACME URL query parametersCertbot: Renew, reissue, or duplicate certificate using ACME URL query parameters

In this section: