I am in the process of reconfiguring certbot on my OOD server to match the other servers at my site. I would like to use the webroot method because that what my ansible role is written to do. I’m trying to figure out what the webroot/DocumentRoot would be for OOD. Looking at the apache config, It seems like all requests are expected to be /public, /pun, /nginx, /rnode, or /node, and /.well-known just won’t work. Is there an easy way to make this work, or should I just update my ansible role to use the Apache method?
OOD doesn’t really have this notion of DocumentRoot used in the way you are hoping with certbot --webroot.
I’m pretty sure to get this to work using --webroot you’d have to do some editing to the Apache configs by hand to handle the /.well-known/acme-challenge token path, and that starts to go outside of our recommended practices with OOD because of how we write those config files with the portal generator.
Using the --apache method is more of an OOD best practice here. This way you
avoid hand-editing any files or writing anything for Apache outside the portal generator which may later get over-written if you run the command again. When you renew the certs this way, apache will basically handle all this for us (creating the acme-challenge path and adding it to the vhost to be used then removing it after) and skip needing any directives outside of OOD and any manual maintenance.
If there is a security policy in place that prevents the use of --apache let me know though and we can try to work through getting that to work, it would just take more Apache know-how and tinkering (not really OOD).