And I point you to a previous post:
Could you kindly confirm if this is correct pls:
- --standalone, certs get renewed automatically, but I cannot use port 80 when certs are being issued
- -- manual --preferred-challenges http, certbot not using any ports, require /.well-known..., I have to renew certs manually (i.e.cron)
- -- manual --preferred-challenges dns, same as above with the exception of adding TXT record to dns
During the installation of certbot, a systemd timer or cron job should have been created to try to automatically renew (check) twice a day.
Actual renewals attempts will only be done once the cert is nearing its' expirations date.
HTTP challenges will use the HTTP port (80).
DNS challenges will check global DNS for the TXT record entries provided.
--manual means you want to interact with certbot manually (not automated).
In addition: The renewal attempts with try to reuse the last known renewal method.
If that was --manual, then it will try --manual (but fail without human input)
If that was --standalone, then it will fail (without first stopping whatever is listening on port 80)
If that was DNS, then it would fail (without an API to automatically create the TXT records)
Your best bet for automation is to use the --webroot method.
You will first need to find the root folder of your port 80 listener.
1 Like
Whats the complete command to execute --webroot method pls ? I can try it now to see if I can get it working.
Is there a "path" or "dir:" or "root:" entry in your run.js file?
But to answer your question, this should work:
certbot certonly --webroot -w /path/found/above -d domain.name
You have to be careful not to use the production system for these types of tests.
Instead, until you get it right, use the staging system with --staging or --dry-run
[or you will hit a rate limit and get blocked]
certbot certonly --webroot -w /your/root/path -d domain.name --staging
certbot certonly --webroot -w /your/root/path -d domain.name --dry-run
Thanks for the warning of --staging
Having a look for the path, run.js only contains :
require('./db')
require('./server')
front-end is located /home/jet/public/index.html
1 Like
That looks promissing.
You can test that path out with:
- place a test text file there
sudo echo "test file at root" >> /home/jet/public/test-file - then try (from the Internet) http://your.domain/test-file
If that works, then try the certbot with --staging (as above) and use the path /home/jet/public/
If that fails... then that is NOT the root for that domain and back to looking for the real root.
I'm using winSCP, can I add file manually to the public folder ? The ext is missing in your example
That was on purpose; as the challenge requests will come in without an extension.
The system has to be able to serve such such "file types".
Send two files up:
test-file.txt
test-file
Files are up, when I browse
test-file.txt >> 'test file at root' displayed
test-file >> prompted to save/open file
1 Like
hmm...
Almost perfect.
You may need to add a mime type for this extension less file type - but we'll come back to that.
Now you should test with:
certbot certonly --webroot -w /home/jet/public/ -d oohkitchen.co.uk --staging
I'm logged in as root and will try the command
root@ubuntu01:/#
1 Like
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/oohkitchen.co.uk.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Which option should I select?
If you used it with --staging, this seems weird but use #2. (note to: @certbot-devs)
If you forgot to add --staging, just "c" cancel and try with --staging first.
I did add the --staging flag, chose option2 and got the following message:
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: oohkitchen.co.uk). We will not do that unless you use the --break-my-certs flag!
Then exited
BTW https://oohkitchen.co.uk/ is still functional
OK that is a good reason to stop.
Let's try it with a different set of name(s), so it makes a different cert.
certbot certonly --webroot -w /home/jet/public/ -d oohkitchen.co.uk,www.oohkitchen.co.uk --staging
OR
certbot certonly --webroot -w /home/jet/public/ -d www.oohkitchen.co.uk --staging
Yeah it didn't do anything at all - for good reason.
Name: oohkitchen.co.uk
Address: 161.35.175.156
Aliases: www.oohkitchen.co.uk
Now its asking to Expand or cancel. Expand ?