My original question is still not quite answered. I am not trying to renew certificates, I am trying to recreate them after deleting them. I have a case where a customer of mine decides to delete a domain which I am hosting for them, so I run certbot delete -n --cert-name theirdomain.com
A few hours later, the customer returns and so I re-run the original certbot certonly --manual --preferred-challenges=http --email certs@maxant.ch --agree-tos --manual-public-ip-logging-ok --non-interactive --manual-auth-hook mycertbot-authenticator.sh --manual-cleanup-hook mycertbot-cleanup.sh -d theirdomain.com
(with or without --force-renewal
)
The point is that I deleted the certificate when they left. And now that they are returning, I want to recreate the certificates since they are no longer on my disk.
What is the correct process for doing that? As I originally said, the cleanup script is not called when I recreate the certificates. I tested this with other domain names, not just "refimpl.maxant.ch". See crt.sh | refimpl3.maxant.ch - the first certificate was created "when the customer first hosted their domain on my server" and the second one after I removed the certificates and tried to recreate them, "when the customer returned".
certbot logs:
2023-03-07 22:40:15,123:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-07 22:40:15,124:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-07 22:40:15,124:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges=http', '--email', 'certs@maxant.ch', '--agree-tos', '--manual-public-ip-log
ging-ok', '--non-interactive', '--force-renewal', '--manual-auth-hook', 'certbot-authenticator.sh', '--manual-cleanup-hook', 'certbot-cleanup.sh', '-d', 'refimpl3.maxant.ch']
...
NOW MY CLEANUP SCRIPT RUNS
2023-03-07 22:40:28,109:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-07 22:40:28,110:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-07 22:40:28,110:INFO:certbot.compat.misc:Running manual-cleanup-hook command: certbot-cleanup.sh
2023-03-07 22:40:28,124:DEBUG:certbot._internal.display.obj:Notifying user: Hook '--manual-cleanup-hook' for refimpl3.maxant.ch ran with output:
certbot-cleanup> cleanup is running for refimpl3.maxant.ch
...
2023-03-07 22:40:29,982:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/refimpl3.maxant.ch/fullchain.pem
Key is saved at: /etc/letsencrypt/live/refimpl3.maxant.ch/privkey.pem
This certificate expires on 2023-06-05.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
2023-03-07 22:40:29,984:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
...
NOW THE REMOVAL STARTS, about 90 seconds later:
2023-03-07 22:41:54,647:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-07 22:41:54,647:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-07 22:41:54,647:DEBUG:certbot._internal.main:Arguments: ['-n', '--cert-name', 'refimpl3.maxant.ch']
2023-03-07 22:41:54,647:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-07 22:41:54,656:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-07 22:41:54,657:INFO:certbot._internal.storage:Removed /etc/letsencrypt/renewal/refimpl3.maxant.ch.conf
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch/cert.pem
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch/privkey.pem
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch/chain.pem
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch/fullchain.pem
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch/README
2023-03-07 22:41:54,657:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/live/refimpl3.maxant.ch
2023-03-07 22:41:54,658:DEBUG:certbot._internal.storage:Removed /etc/letsencrypt/archive/refimpl3.maxant.ch
2023-03-07 22:41:54,658:DEBUG:certbot._internal.display.obj:Notifying user: Deleted all files relating to certificate refimpl3.maxant.ch.
NOW THE RECREATION STARTS, 22 seconds later:
2023-03-07 22:42:16,385:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-07 22:42:16,386:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-07 22:42:16,386:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges=http', '--email', 'certs@maxant.ch', '--agree-tos', '--manual-public-ip-logging-ok', '--non-interactive', '--force-renewal', '--manual-auth-hook', 'certbot-authenticator.sh', '--manual-cleanup-hook', 'certbot-cleanup.sh', '-d', 'refimpl3.maxant.ch']
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2023-03-07 22:42:19,850:DEBUG:acme.client:Storing nonce: C878sA-WK58f8FIBBTBTU-FkIt8fKHjmZppPzmXEQe5VnFY
2023-03-07 22:42:19,854:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive/refimpl3.maxant.ch.
2023-03-07 22:42:19,855:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live/refimpl3.maxant.ch.
2023-03-07 22:42:19,855:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/live/refimpl3.maxant.ch/cert.pem.
2023-03-07 22:42:19,856:DEBUG:certbot._internal.storage:Writing private key to /etc/letsencrypt/live/refimpl3.maxant.ch/privkey.pem.
2023-03-07 22:42:19,856:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/live/refimpl3.maxant.ch/chain.pem.
2023-03-07 22:42:19,856:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/live/refimpl3.maxant.ch/fullchain.pem.
2023-03-07 22:42:19,856:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/refimpl3.maxant.ch/README.
2023-03-07 22:42:19,871:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer <certbot._internal.cli.cli_utils._Default object at 0x7f679a2dcbb0>
2023-03-07 22:42:19,871:DEBUG:certbot._internal.cli:Var pref_challs=http (set by user).
2023-03-07 22:42:19,872:DEBUG:certbot._internal.cli:Var authenticator=manual (set by user).
2023-03-07 22:42:19,872:DEBUG:certbot._internal.cli:Var manual_auth_hook=certbot-authenticator.sh (set by user).
2023-03-07 22:42:19,872:DEBUG:certbot._internal.cli:Var manual_cleanup_hook=certbot-cleanup.sh (set by user).
2023-03-07 22:42:19,873:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/refimpl3.maxant.ch.conf.
2023-03-07 22:42:19,883:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/refimpl3.maxant.ch/fullchain.pem
Key is saved at: /etc/letsencrypt/live/refimpl3.maxant.ch/privkey.pem
This certificate expires on 2023-06-05.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
2023-03-07 22:42:19,885:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
As you can see almost at the end, the cleanup script is even referenced. But it is not called. My cleanup script logs stuff, that is displayed the first time round, but not the second time around.
Perhaps it is necessary to revoke the certificate, instead of just deleting it locally?