Certbot 0.11.1 on CentOS 7 always renews

ian_winter · March 23, 2017, 3:35pm

I’ve got certbot 0.11.1 installed on a CentOS 7 server from EPEL and when I run certbot renew it continually renews teh certificates, never says their valid yet using openssl to check the certificate on the file system they are being updated.

Similar to Problem with certbot-auto renew - always renewing domain

ian_winter · March 23, 2017, 3:41pm

Version 0.12.0 from epel-testing does the same (just upgraded to try).

Osiris · March 23, 2017, 4:25pm

Could you give us the contents of /etc/letsencrypt/cli.ini and/or the relevant configuration file in /etc/letsencrypt/renewal/?

ian_winter · March 23, 2017, 8:29pm

/etc/letsencrypt/cli.ini

  $ cat /etc/letsencrypt/cli.ini
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = xxxxxxxxx@xxxxx.com
text = True
authenticator = webroot
webroot-path = /var/www/domains
agree-tos = True
renew-by-default = True

A selection renewal (they’re all pretty much the same)

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/ianwinter.co.uk/cert.pem
privkey = /etc/letsencrypt/live/ianwinter.co.uk/privkey.pem
chain = /etc/letsencrypt/live/ianwinter.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/ianwinter.co.uk/fullchain.pem
version = 0.11.1
archive_dir = /etc/letsencrypt/archive/ianwinter.co.uk

# Options and defaults used in the renewal process
[renewalparams]
installer = None
authenticator = webroot
account = xxxx
rsa_key_size = 4096
post_hook = systemctl restart nginx
server = https://acme-v01.api.letsencrypt.org/directory
webroot_path = /var/www/domains,
[[webroot_map]]
www.ianwinter.co.uk = /var/www/domains
ianwinter.co.uk = /var/www/domains

I’ve tried taking the version out, matching the version to 0.12.0 and remove the renew_before_expiry commented line - same behaviour.

Osiris · March 23, 2017, 8:41pm

There’s also the renew-by-default in cli.ini

ian_winter · March 23, 2017, 8:47pm

Ah OK, so that’s saying renew anyway rather than check the expiry?

This is the first server that’s had the RPM version, I started way back on a 0.7 I think so guess it’s dodgy old config.

Bingo, take it out and it works. Thanks (and sorry) for the blindingly obvious point out!!!

Osiris · March 23, 2017, 8:49pm

Correct.

Perhaps.. I'm checking the EPEL package anyway, I doubt it's the case, but perhaps something weird got into their default cli.ini..

Osiris · March 23, 2017, 9:01pm

Can't find any reference other than /examples/cli.ini in the EPEL packages of certbot, so I'm inclined to say it has something to do with old configs indeed

ian_winter · March 23, 2017, 9:10pm

Awesome, thanks for the assistance and apologies again for the time waste.

Osiris · March 23, 2017, 9:14pm

No need for that, you had a sincere problem with a cause which is easily overlooked

schoen · March 24, 2017, 1:48am

Because this wasn't so obvious before, we changed the name of this option to --force-renewal, but the old name is still accepted.

If you have some old documentation that uses the old name, could you tell us where you found it? Maybe we can ask for it to be updated somehow.

ian_winter · March 24, 2017, 8:26am

Honestly not sure where it would have come from. If I recall correctly I started using the letsencrypt-auto client back, probably around 0.7, I suspect I just built that config by hand - might have been on the old readthedocs pages at the time, or, from the forums.

--force-renewal certainly makes it clearer though.

Again, that’s for the help.

system · April 23, 2017, 8:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.