Certbot: add/change `profile` for next renewal?

Goonie · May 5, 2025, 3:52pm

I'd like to know what parameter exactly I need to add to the [renewalparams] section in my renewal/domain.conf in order to specifiy a profile for the next renewal?

Bruce5051 · May 5, 2025, 3:56pm

Hello @Goonie

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

petercooperjr · May 5, 2025, 3:59pm

Rather than changing config files directly, I'd recommend using the certbot reconfigure command with the new settings you want for the cert, and let it handle updating its renewal configuration itself.

Something like

certbot reconfigure --cert-name example.com --preferred-profile tlsserver

Though be warned I haven't actually tried it.

MikeMcQ · May 5, 2025, 4:17pm

I just tried it and it did not work. Seems it should but didn't.

Worse, I re-ran my original certonly --webroot ... command with --required-profile tlsserver

It created a cert with that profile but did not update the renewal config file.

So, bug in Certbot and I just noticed it was reported last week at their github

github.com/certbot/certbot

[Bug]: --preferred-profile/--required-profile not respected during renewal

opened 04:15PM - 25 Apr 25 UTC

damisanet

### OS AlmaLinux 8.10 ### Installation method pip ### Certbot Version 4.0.0… ### What happened? I was trying to use ACME profiles feature. While both `--preferred-profile tlsserver` and `--required-profile tlsserver` worked properly during initial issuance using `certonly` command, during (forced) `renew` they were ignored. It seems that these parameters are not properly persisted in `renewal/*.conf` files. ``` # certbot certonly --cert-name test-profile --staging -d redacted.example --preferred-challenges dns-01 -a dns-rfc2136 --dns-rfc2136-credentials dns.ini --dns-rfc2136-propagation-seconds 10 --required-profile tlsserver ... # openssl x509 -in /etc/letsencrypt/live/test-profile/fullchain.pem -noout -subject subject= # certbot renew --cert-name test-profile --force-renewal ... # openssl x509 -in /etc/letsencrypt/live/test-profile/fullchain.pem -noout -subject subject=CN = redacted.example # grep required_profile /etc/letsencrypt/renewal/test-profile.conf # ``` I suspect that's because they are missing from `STR_CONFIG_ITEMS` list in `certbot/_internal/renewal.py` source file. ### Expected behavior Certbot should store preferred/required ACME profile in certificate renewal parameters and apply them during renewal process. ``` # certbot certonly --cert-name test-profile --staging -d redacted.example --preferred-challenges dns-01 -a dns-rfc2136 --dns-rfc2136-credentials dns.ini --dns-rfc2136-propagation-seconds 10 --required-profile tlsserver ... # openssl x509 -in /etc/letsencrypt/live/test-profile/fullchain.pem -noout -subject subject= # certbot renew --cert-name test-profile --force-renewal ... # openssl x509 -in /etc/letsencrypt/live/test-profile/fullchain.pem -noout -subject subject= # grep required_profile /etc/letsencrypt/renewal/test-profile.conf required_profile = tlsserver # ``` After extending `STR_CONFIG_ITEMS` list in `certbot/_internal/renewal.py` with `["preferred_profile", "required_profile"]`, everything seems to be working fine. ### Relevant log output ```shell ```

Goonie · May 5, 2025, 4:34pm

Thanks for the hint, I didn't know about the reconfigure command. However, it yields:

No changes were made to the renewal configuration.

Maybe that's symptom about the bug MikeMcQ mentioned below. I'll investigate.

Topic		Replies	Views
Certificate renew Help	6	532	May 12, 2023
Help renewing with certbot Help	16	971	July 24, 2019
SSL Renew Issue Help	15	663	January 19, 2023
Problem with Certbot renew Help	59	2535	November 30, 2020
Adding new options at renewal Help	3	641	November 12, 2019

Certbot: add/change `profile` for next renewal?

Related topics