certbot 0.11.1 installed on a CentOS 7 server from EPEL and when I run
certbot renew it continually renews teh certificates, never says their valid yet using openssl to check the certificate on the file system they are being updated.
Version 0.12.0 from epel-testing does the same (just upgraded to try).
Could you give us the contents of
/etc/letsencrypt/cli.ini and/or the relevant configuration file in
$ cat /etc/letsencrypt/cli.ini rsa-key-size = 4096 server = https://acme-v01.api.letsencrypt.org/directory email = email@example.com text = True authenticator = webroot webroot-path = /var/www/domains agree-tos = True renew-by-default = True
A selection renewal (they’re all pretty much the same)
# renew_before_expiry = 30 days cert = /etc/letsencrypt/live/ianwinter.co.uk/cert.pem privkey = /etc/letsencrypt/live/ianwinter.co.uk/privkey.pem chain = /etc/letsencrypt/live/ianwinter.co.uk/chain.pem fullchain = /etc/letsencrypt/live/ianwinter.co.uk/fullchain.pem version = 0.11.1 archive_dir = /etc/letsencrypt/archive/ianwinter.co.uk # Options and defaults used in the renewal process [renewalparams] installer = None authenticator = webroot account = xxxx rsa_key_size = 4096 post_hook = systemctl restart nginx server = https://acme-v01.api.letsencrypt.org/directory webroot_path = /var/www/domains, [[webroot_map]] www.ianwinter.co.uk = /var/www/domains ianwinter.co.uk = /var/www/domains
I’ve tried taking the version out, matching the version to 0.12.0 and remove the renew_before_expiry commented line - same behaviour.
There’s also the
Ah OK, so that’s saying renew anyway rather than check the expiry?
This is the first server that’s had the RPM version, I started way back on a 0.7 I think so guess it’s dodgy old config.
Bingo, take it out and it works. Thanks (and sorry) for the blindingly obvious point out!!!
Perhaps… I’m checking the EPEL package anyway, I doubt it’s the case, but perhaps something weird got into their default
Can’t find any reference other than
/examples/cli.ini in the EPEL packages of
certbot, so I’m inclined to say it has something to do with old configs indeed
Awesome, thanks for the assistance and apologies again for the time waste.
No need for that, you had a sincere problem with a cause which is easily overlooked
Because this wasn’t so obvious before, we changed the name of this option to
--force-renewal, but the old name is still accepted.
If you have some old documentation that uses the old name, could you tell us where you found it? Maybe we can ask for it to be updated somehow.
Honestly not sure where it would have come from. If I recall correctly I started using the letsencrypt-auto client back, probably around 0.7, I suspect I just built that config by hand - might have been on the old readthedocs pages at the time, or, from the forums.
--force-renewal certainly makes it clearer though.
Again, that’s for the help.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.