Greetings,

It is time to renew my cert. When I set things up in Dec, I tested renewals then and it was all working. Now, not so much. I am using the client from Gitlab on Scientific Linux 7.2. I couldn’t find the commands in my history, so I decided to follow the documentation from the section “Renewing a Certificate” from here: https://letsencrypt.org/howitworks/

$ cat .git/config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = https://github.com/letsencrypt/letsencrypt fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master

$ git pull Already up-to-date. $ ./letsencrypt-auto renew Checking for new version... Requesting root privileges to run letsencrypt... sudo ~/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade --force-renewal renew enewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.

Huh. Well that is odd. Wonder what shows up in a internet search…nothing but the code. https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/cli.py

Not very useful at all.

Fine. I will pass it my config file with ‘-c /etc/letsencrypt/cli.ini’ and still the same error. Fine. I will do it manually.
$ ./letsencrypt-auto auth -c /etc/letsencrypt/cli.ini Checking for new version... Requesting root privileges to run letsencrypt... sudo ~/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth -c /etc/letsencrypt/cli.ini You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: my.domain.one, my.domain.two, my.domain.three, my.domain.four). We will not do that unless you use the --break-my-certs flag!

What gives? I don’t want a test cert (or do I?)! And I certainly don’t want to break my certs…So how do I just renew? I don’t understand the error. I don’t understand what I did wrong. And I really don’t understand why the documentation isn’t working for me.

Any help please?
Thanks!

please see Cannot get my cert renewed on centos 6.7 [solved]

Thanks for the link. Sadly, that doesn’t matter for me.
`$ git status

On branch master

nothing to commit, working directory clean
$ sed -e ‘/^#/d’ -e ‘/^$/d’ /etc/letsencrypt/cli.ini
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = my@email.com
domains = my.domain.one, my.domain.two, my.domain.three, my.domain.four
$ ./letsencrypt-auto renew
Checking for new version…
Requesting root privileges to run letsencrypt…
sudo ~/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade renew
Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future`

Still can’t find anything about what that error means.

Thanks!

The renew verb doesn’t like domains being specified directly via command-line flags or via cli.ini. Basically, it looks at all your certificates and renews them if needed. This could conflict with domains you specify manually, that’s why it’s not supported.

You have two options:

• Implement renewal with certonly and --keep-until-expiring. You can put that in a daily cronjob and it will only replace your certificate when they’re about to expire (30 days).
• Remove the domains line from your cli.ini and use renew.
  • If you ever need to expand your certificates with additional domains, add the line back temporarily and add any new domains, or pass it to the client via -d.

Thanks! Removing that line from the cli.ini file did the trick!

I appreciate the help!

The error message needs to be improved. It is a waste of time for everyone to have to troll through the internet to find out that they need to edit the cli.ini file.

+1 - it’s not at all clear that letsencrypt-auto renew decides to read all the options in cli.ini before it does its work. I’m super stoked on the simplicity of the command in general, but it took a significant amount of time for me to figure out where the hell it was getting specific domains from, or why it was telling me agree-dev-preview was deprecated when I wasn’t typing it.

I’d agree that this could be more clear. I didn’t discover this until I realized my certs weren’t renewing and I manually ran the command. Granted, its only been until recently that Letsencrypt has been out of Beta, but I’m still trying to find the best “proper” way to set up my configs.

I’ve had this same issue. Filed issue #3824 on GitHub, to look into adding a more explicit error message.

Thanks, @pfg. Was been searching for this solution for a while.