Skip to main content

Certbot: Issue and install public trust certificate for Apache using HTTP-01 domain validation

Command syntax

At the command-line prompt, use the below command syntax to issue and install a public DV, OV, or EV certificate for the Apache web server, using the HTTP-01 method for domain control validation:

sudo certbot --apache --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges http

Fill in values for the command arguments shown in curly braces, as described below:

Command argument

Description

{MY-KEY-IDENTIFIER}

The external account binding key identifier (KID) of the desired certificate profile in DigiCert​​®​​ Trust Lifecycle Manager.

{MY-HMAC-KEY}

The external account binding HMAC key of the certificate profile.

{ACME-URL}

The ACME Directory URL. For hosted DigiCert® ONE accounts, use https://one.digicert.com/mpki/api/v1/acme/v2/directory

{MY-CONFIG-DIR}

The local directory path that stores your Certbot configuration files for the current application. The configuration files here control how and where Certbot installs the certificates it downloads. If you omit the --config-dir option, Certbot will check in the /etc/letsencrypt directory by default.

{FQDN}

The fully qualified domain name you want the certificate to secure. For each FQDN, add an additional -d option. The first one you specify is used as the common name (CN).

Example command:

sudo certbot --apache --register-unsafely-without-email --eab-kid abcdef8sCnHGBsbCOgnv1ijy00l6UeEYCavSSSirl-k --eab-hmac-key EEEraHBXQUxWTEFGdFhndjRVNmV4t4F6c2VNZDM1QzRURGhjdHF3S1NublJjN0dhVUFObzA0SXJwVHBnU2yyUH --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --config-dir /usr/local/certbot/my_other_public_webserver_config/ -d test.com -d www.test.com --manual --preferred-challenges http

Usage notes

  • To issue a public trust certificate using a third-party ACME client like Certbot, the requested certificate profile in DigiCert​​®​​ Trust Lifecycle Manager must be based on the CertCentral Public Server Certificate or Let's Encrypt Public Server Certificate template.

  • The --preferred-challenges option specifies the preferred form of domain validation. Enter http here to request HTTP-01 validation.

  • This command runs interactively. Certbot presents you with the below menu to decide how the HTTP validation gets carried out:

    How would you like to authenticate with the ACME CA?
    ---------------------------------------------------------------------------
    1. Apache Web Server plugin (apache)
    2. Obtain certificates using a DNS TXT record (if you are using AWS Route 53 for DNS). (dns-route53)
    3. Spin up a temporary webserver (standalone)
    4. Place files in webroot directory (webroot)
    ---------------------------------------------------------------------------
    Select the appropriate number [1-4] then [enter] (press 'c' to cancel):
  • Select option 1 in the above menu to have Certbot automatically configure the Apache web server for HTTP validation. Your web server must have port 80 open. Certbot will add lines like the following to the virtual host configuration for port 80:

    Alias /.well-known/acme-challenge/ "/var/www/acme/acme-challenge/"
    RewriteRule "^/.well-known/acme-challenge/" = [L]
    <Directory "/var/www/acme/acme-challenge/">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
    </Directory>
  • After validating, the command completes, and the certificate is issued and installed.

  • If the requested certificate matches an existing order, DigiCert​​®​​ Trust Lifecycle Manager applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, Trust Lifecycle Manager treats it as a new order and enrolls the new certificate for you.