Certbot 0.11.1 on CentOS 7 always renews


#1

I’ve got certbot 0.11.1 installed on a CentOS 7 server from EPEL and when I run certbot renew it continually renews teh certificates, never says their valid yet using openssl to check the certificate on the file system they are being updated.

Similar to Problem with certbot-auto renew - always renewing domain


#2

Version 0.12.0 from epel-testing does the same (just upgraded to try).


#3

Could you give us the contents of /etc/letsencrypt/cli.ini and/or the relevant configuration file in /etc/letsencrypt/renewal/?


#4

/etc/letsencrypt/cli.ini

  $ cat /etc/letsencrypt/cli.ini
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = xxxxxxxxx@xxxxx.com
text = True
authenticator = webroot
webroot-path = /var/www/domains
agree-tos = True
renew-by-default = True

A selection renewal (they’re all pretty much the same)

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/ianwinter.co.uk/cert.pem
privkey = /etc/letsencrypt/live/ianwinter.co.uk/privkey.pem
chain = /etc/letsencrypt/live/ianwinter.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/ianwinter.co.uk/fullchain.pem
version = 0.11.1
archive_dir = /etc/letsencrypt/archive/ianwinter.co.uk

# Options and defaults used in the renewal process
[renewalparams]
installer = None
authenticator = webroot
account = xxxx
rsa_key_size = 4096
post_hook = systemctl restart nginx
server = https://acme-v01.api.letsencrypt.org/directory
webroot_path = /var/www/domains,
[[webroot_map]]
www.ianwinter.co.uk = /var/www/domains
ianwinter.co.uk = /var/www/domains

I’ve tried taking the version out, matching the version to 0.12.0 and remove the renew_before_expiry commented line - same behaviour.


#5

There’s also the renew-by-default in cli.ini :wink:


#6

Ah OK, so that’s saying renew anyway rather than check the expiry?

This is the first server that’s had the RPM version, I started way back on a 0.7 I think so guess it’s dodgy old config.

Bingo, take it out and it works. Thanks (and sorry) for the blindingly obvious point out!!!


#7

Correct.

Perhaps… I’m checking the EPEL package anyway, I doubt it’s the case, but perhaps something weird got into their default cli.ini


#9

Can’t find any reference other than /examples/cli.ini in the EPEL packages of certbot, so I’m inclined to say it has something to do with old configs indeed :slight_smile:


#10

Awesome, thanks for the assistance and apologies again for the time waste.


#11

No need for that, you had a sincere problem with a cause which is easily overlooked :slight_smile:


#12

Because this wasn’t so obvious before, we changed the name of this option to --force-renewal, but the old name is still accepted.

If you have some old documentation that uses the old name, could you tell us where you found it? Maybe we can ask for it to be updated somehow.


#13

Honestly not sure where it would have come from. If I recall correctly I started using the letsencrypt-auto client back, probably around 0.7, I suspect I just built that config by hand - might have been on the old readthedocs pages at the time, or, from the forums.

--force-renewal certainly makes it clearer though.

Again, that’s for the help.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.