Certbot certonly: only renew certificate when necessary

  • My domain is: https://zw.drubn.de
  • I ran this command: certbot certonly --config="/etc/letsencrypt/cli.ini" --standalone --cert-name="zw.drubn.de" --domains="zw.drubn.de" --keep-until-expiring
  • It produced this output:
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None                      
    Obtaining a new certificate                                        
    An unexpected error occurred:                                                      
    There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: zw.drubn.de: see https://letsencrypt.org/docs/rate-limits/
    Please see the logfiles in /var/log/letsencrypt for more details.
    
  • Web server: nginx1.14.2-2+deb10u1
  • OS: Raspbian Buster
  • I can login to a root shell on my machine: :heavy_check_mark:
  • I’m using a control panel to manage my site: ✘
  • My client: certbot 0.31.0
  • /etc/letsencrypt/cli.ini
    max-log-backups = 0
    agree-tos = True
    reuse-key = True
    
    

It seems that certbot always tries to obtain a new certificate with above command despite --keep-until-expiring is explicitly set. Is there a way to run certbot certonly so that a new certificate is obtained when appropriate?

1 Like

Hi @cesta

why don’t you use

certbot renew

You can run that command two times per day. If the certificate is more then 30 days valid, nothing happens.

PS: It’s simple - that’s the wrong command.

1 Like

Good idea. I currently use certbot certonly to automatically add/remove subdomains certificated under the same certificate. But now I notice that my process is flawed, because multiple certificates are created for the same domain with identical subdomain set. I am somewhat confused now. certonly does not always ceate a new certificate configuration entry, does it?

1 Like

only when you remove domains, I think. and in no case if you specify --cert-name https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

1 Like

Thanks!

I found the bug: I mistakenly used the domain name without the number suffix as cert-name. So this worked out:

certbot certonly --config="/etc/letsencrypt/cli.ini" --standalone --cert-name="zw.drubn.de-0001" --domains="zw.drubn.de" --keep-until-expiring

(The number suffix can be found by running certbot certificates.)


The output of certbot renew originally contained (I could clear this problem up):

certbot.errors.CertStorageError: renewal config file {} is missing a required file reference                                                                                                                      
Renewal configuration file /etc/letsencrypt/renewal/zw.drubn.de.conf is broken. Skipping.

Maybe it is a bug that certbot certonly creates new configuration entries when the configuration file for the given cert-name is broken?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.