Acme client, certbot and very poor/confusing instructions


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: signal dot wetleaves dot com

I ran this command: certbot --dry-run

It produced this output: --dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)

That doesn’t inspire confidence - the precise command directed by jsha doesn’t work? Not good.

So I foolishly tried: certbot --dry-run --renew

and it gave me: usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] … Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: ambiguous option: --renew could match --renew-hook, --renew-with-new-domains, --renew-by-default

My web server is (include version): Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Shouldn’t need that, all they give me is a IP address and connection.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Sorry for the confusion. The command you want is:

certbot renew --dry-run

Got a link to where you saw that? The forum is quite busy at the moment and I can’t seem to find it :slight_smile:


#3

#4

Ah. In that post @jsha is talking about an upcoming change. If you want to try a test renewal now you should use this instead:

certbot renew --dry-run --preferred-challenges http-01,dns-01

#5

A change in the staging server, yes. Nontheless, the certbot command presented by @jsha doesn’t work without an actual run or renew command.


#6

Its from a link in the message I received yesterday, link is https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209


#7

certbot renew --dry-run seems to work. So now I run it without the --dry-run right?

I appreciate yalls patience with me.


#8

What do you want to accomplish? The post from @jsha clearly states the change will be activated on next Tuesday. So anything you test know could possibly be very different on Tuesday.


#9

Just running certbot renew --dry-run won’t tell you anything useful just yet - that’s what’s coming on Tuesday.

If you want to do an equivalent test now you should run this instead:

Does that work? If so, you shouldn’t really need to do anything else.


#10

A successful dry run a few minutes ago could have cached TLS-SNI authorizations, though. :grimacing:


#11

I get (among other output): Congratulations, all renewals succeeded.

Respectfully, the message that was sent yesterday resulted in confusion. I suspect yall are getting lots of responses from people like me who mistook the message intent for a requirement RIGHT NOW. So I will wait…

thanks again.


#12

hm, true. Maybe it’s best if we just advise folks to wait until Tuesday?


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.