I’m making this post to get some information from users on how they find a current behavior of Certbot so we can potentially improve it. I’d like to hear from people what their first impressions were and if they found its current behavior intuitive or not. If you spend a lot of time helping people use Certbot, I’d like to see if you’ve talked with any users about this and what you’re experience was. Links to threads and conversations is very beneficial.
As you probably know, Certbot saves parameters like selected plugins, preferred challenges, RSA key size, etc. so that they can be reused during renewal. When you run
certbot renew these values are picked up from the files in
/etc/letsencrypt/renewal and used again to renew your certificate. This is not the case when running
certbot run, or
certbot without a subcommand to renew or reinstall a certificate. In this case, the values used to originally obtain the certificate are ignored and the new values from the command line are used. If a new certificate is obtained, the originally saved values are overwritten.
Do you find this behavior intuitive? Have you or someone you’ve talked to been surprised or confused by it? Possible effects of a misunderstanding here include trying to install a certificate you originally obtained for Nginx in Apache, RSA key size changing unexpectedly, dropping a pre/post/renew hook, and not remembering previously specified challenge preferences for the standalone or manual plugins.
It’s worth noting that we’ve had bugs in the past where values like
--post-hook weren’t saved at all (even for
certbot renew). This is not the same thing. The specific issue we’re curious about is if people are expecting previously specified values for a certificate to be used with Certbot subcommands other than
Thanks for any input people can provide here. To mention people who have personally helped a lot of Certbot users in the past: @cpu, @hyper_ch, @jmorahan, @joohoi, @jsha, @mgedmin, @mnordhoff, @Osiris, @pfg, @schoen, @serverco