Acme client, certbot and very poor/confusing instructions

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: signal dot wetleaves dot com

I ran this command: certbot --dry-run

It produced this output: --dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)

That doesn’t inspire confidence - the precise command directed by jsha doesn’t work? Not good.

So I foolishly tried: certbot --dry-run --renew

and it gave me: usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] … Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: ambiguous option: --renew could match --renew-hook, --renew-with-new-domains, --renew-by-default

My web server is (include version): Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Shouldn’t need that, all they give me is a IP address and connection.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Sorry for the confusion. The command you want is:

certbot renew --dry-run

Got a link to where you saw that? The forum is quite busy at the moment and I can't seem to find it :slight_smile:

1 Like

Ah. In that post @jsha is talking about an upcoming change. If you want to try a test renewal now you should use this instead:

certbot renew --dry-run --preferred-challenges http-01,dns-01

A change in the staging server, yes. Nontheless, the certbot command presented by @jsha doesn't work without an actual run or renew command.

1 Like

Its from a link in the message I received yesterday, link is https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

1 Like

certbot renew --dry-run seems to work. So now I run it without the --dry-run right?

I appreciate yalls patience with me.

What do you want to accomplish? The post from @jsha clearly states the change will be activated on next Tuesday. So anything you test know could possibly be very different on Tuesday.

Just running certbot renew --dry-run won't tell you anything useful just yet - that's what's coming on Tuesday.

If you want to do an equivalent test now you should run this instead:

Does that work? If so, you shouldn't really need to do anything else.

A successful dry run a few minutes ago could have cached TLS-SNI authorizations, though. :grimacing:

I get (among other output): Congratulations, all renewals succeeded.

Respectfully, the message that was sent yesterday resulted in confusion. I suspect yall are getting lots of responses from people like me who mistook the message intent for a requirement RIGHT NOW. So I will wait...

thanks again.

hm, true. Maybe it's best if we just advise folks to wait until Tuesday?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.