Authenticator line seemingly ignored in conf file?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.prylis.com

I ran this command:
certbot renew --dry-run -v

It produced this output:
Plugins selected: Authenticator standalone, Installer apache

My web server is (include version):
Apache 2.4.52

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Hello. I noticed that autorenewal, which had been running fine for a few years, ceased working. It doesn't appear to be at all related to the "April 2024 verification" thing. Rather, it seems that the config file "authenticator" line is suddenly being entirely ignored. I only noticed it because I got an expiry email from LetsEncrypt this morning.

The conf file contains:

installer = apache
authenticator = apache

...yet running certbot in verbose mode shows:

Plugins selected: Authenticator standalone, Installer apache

Welcome to the community @cbpowell

That sounds very strange. I see you just renewed a cert for that domain within the last hour or so. Maybe you sorted it out.

But, I'd be curious to see the output of this command to make sure no trouble going forward. I have a hunch you have multiple Certbot cert profiles active

sudo certbot certificates

Not really - needing to "solve today's problem today", I disabled Apache long enough to renew. Autorenewal is still inop for me.

Sure, here (and thank you for your reply):

Found the following certs:
Certificate Name: www.prylis.com
Serial Number: 4ce757627c291fc8df6c512e0e5c042526b
Key Type: RSA
Domains: www.prylis.com
Expiry Date: 2024-09-01 16:34:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.prylis.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.prylis.com/privkey.pem

Regards,
Chris

Which file? /etc/letsencrypt/renewal/www.prylis.com.conf or /etc/letsencrypt/cli.ini?

If it was not the file /etc/letsencrypt/cli.ini, does that file exist and if so, what it's contents?

I was referring to /etc/letsencrypt/renewal/www.prylis.com.conf, but I see that the cli.ini file does exist. I think it is the guilty party, as its first line is standalone = true. I'm sorry, I simply did not know of the existence of cli.ini or that would have leapt out at me.

Changing the first line to standalone = false seems to have cured my problem, I am relieved and pleased to say.

Regards,
Chris

You can just take the line out of the config file entirely, so that the authenticator is just based on the cert configuration instead of being global. Might save some confusion if you ever need another certificate on that system or need to change the config.

You might want to run a certbot renew --dry-run just to confirm that your next automatic renewal will complete on its own.

Ghe, I noticed an error in that example cli.ini:

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone

Standalone authenticator on port 443? Since when does Certbot support tls-alpn-01? (Hint: it doesn't.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.