-2

I want to run

$ letsencrypt --apache certonly

to get a new cert, but I can't find anywhere in the documentation that explains what this actually does other than that it uses the "tls-sni-01 challenge type". What does it actually change in my Apache config, and does it delete the changes after completing the challenge? I am nervous about running a script that makes automatic changes to my Apache configuration.

If I run it on a live site will it result in any downtime?

Flash
  • 119
  • 5
  • 1
    Don't run it on a live site then, run it in a test environment to see what it does. – user9517 Feb 26 '17 at 06:36
  • @istheEnglishway Of course, but I want to know what it does. 'Run it and see if it works in a test environment' is not something I'm comfortable relying on :) – Flash Feb 26 '17 at 07:04
  • Why, in conjunction with reading the documentation would you not run it in a test environment to see what it does ? Seems like an eminently sensible thing to do to me. – user9517 Feb 26 '17 at 07:12
  • @istheEnglishway What do you mean by "see what it does"? I assume it makes temporary modifications to my Apache config, completes the challenge, and reverts them. I don't know what it's doing other than by reading the source. I think it would be valuable to give _some_ explanation in the docs. – Flash Feb 26 '17 at 07:14
  • 2
    The best way to figure that out, would be here https://github.com/certbot/certbot/tree/master/certbot-apache/certbot_apache – Anubioz Feb 26 '17 at 08:23

1 Answers1

1

A quick Google search for tls-sni-01 finds, among others, this explanation:

With the tls-sni-01 challenge, you prove to the CA that you are able to control the web server of the domain to be authorized, by letting it respond to a SNI request with a specific self-signed cert.

Read the description for the detailed process.

And no, it will not result in any downtime as long as you don't introduce any configuration errors into the configuration of your httpd.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Sorry, I wasn't very clear. I read the RFC, but I want to know what the plugin does to actually achieve this. What files does it modify/add, does it remove them after completion, etc. – Flash Feb 26 '17 at 07:02
  • 1
    Well, it is open source. You can just read it. – Gerald Schneider Feb 26 '17 at 07:07
  • Fair enough. I did look at it before posting the question, but given that I have never used letsencrypt before I don't really know what I'm looking for. – Flash Feb 26 '17 at 07:12