I’ve just experienced a strange issue whereby certbot removes both webroot_path
and webroot_map
from the renewal configuration file. Forgive me from deviating from the issue template; the relevant details are all here, but hopefully in a way which is concise and makes most sense for being able to reproduce this particular issue.
I had the following renewal configuration:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/leadsheet-publications.co.uk
cert = /etc/letsencrypt/live/leadsheet-publications.co.uk/cert.pem
privkey = /etc/letsencrypt/live/leadsheet-publications.co.uk/privkey.pem
chain = /etc/letsencrypt/live/leadsheet-publications.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/leadsheet-publications.co.uk/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = manual
account = x
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
I ran:
certbot certonly --webroot -w /var/www/vhosts/leadsheet-publications.co.uk/current/web -d leadsheet-publications.co.uk -d www.leadsheet-publications.co.uk -d new.leadsheet-publications.co.uk
And got:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/leadsheet-publications.co.uk.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Which produced:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/leadsheet-publications.co.uk
cert = /etc/letsencrypt/live/leadsheet-publications.co.uk/cert.pem
privkey = /etc/letsencrypt/live/leadsheet-publications.co.uk/privkey.pem
chain = /etc/letsencrypt/live/leadsheet-publications.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/leadsheet-publications.co.uk/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = x
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/vhosts/leadsheet-publications.co.uk/current/web,
[[webroot_map]]
I then ran certbot renew --force-renewal
to test something and this replaced the renewal config with:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/leadsheet-publications.co.uk
cert = /etc/letsencrypt/live/leadsheet-publications.co.uk/cert.pem
privkey = /etc/letsencrypt/live/leadsheet-publications.co.uk/privkey.pem
chain = /etc/letsencrypt/live/leadsheet-publications.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/leadsheet-publications.co.uk/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = x
server = https://acme-v02.api.letsencrypt.org/directory
All references to the web root have vanished. Yet if I force renew again, it appears to work.
Some of the renewal configurations on my servers have a [[webroot_map]]
section with nothing underneath but have a webroot_path
with a value. Others have no webroot_path
but entries under [[webroot_map]]
. I’m not sure what is by design and what is deprecated and what is a bug.
Domain: leadsheet-publications.co.uk
Certbot version: certbot 0.31.0
OS: CentOS 7.6