Certbot ignores flags

Certbot is ignoring command line flags, I tell it to only create a cert and do DNS validation and it is runnuing apache2ctl for some reason and not doing DNS auth.

My domain is: solprime.net

I ran this command:
certbot certonly -d ‘solprime.net,*.solprime.net’ --preferred-challenges dns
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.

Usage: /usr/sbin/apache2 [-D name] [-d directory] [-f file]
[-C “directive”] [-c “directive”]
[-k start|restart|graceful|graceful-stop|stop]
[-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
-D name : define a name for use in directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C “directive” : process directive before reading config files
-c “directive” : process directive after reading config files
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed vhost settings
-t -D DUMP_RUN_CFG : show parsed run settings
-S : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t -D DUMP_INCLUDES: show all included configuration files
-t : run syntax check for config files
-T : start without DocumentRoot(s) check
-X : debug mode (only one worker, do not detach)

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): c
Could not choose appropriate plugin: authenticator could not be determined or is not installed
authenticator could not be determined or is not installed

My web server is (include version): Not supposed to matter

The operating system my web server runs on is (include version): Gentoo

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0.dev0

You also have to pass an argument telling it to use a different plugin. For example, to use the dns-nsone plugin for the DNS company NS1 (and not automatically configure your web server), you might use:

sudo certbot certonly --dns-nsone --dns-nsone-credentials ~/.secrets/certbot/nsone.ini -d example.com

It’s not relevant to your question, but shouldn’t a newer version be available?

What is the option for me to create the records? I don’t want certbot to touch anything that isn’t the certs it’s responsible for, I’ll create the config, I’ll create the validation, it just needs to do it’s certs.

You can use the manual plugin, then.

We would encourage you to use a configuration that allows automated renewal, especially since Let’s Encrypt certificates are valid for only 90 days, but it’s your choice.

Certbot also has a plugin for Route 53 (but I’m not sure it’s packaged on Gentoo).

Why can’t the manual auto-renew? I’m not going to delete the _acme-challenge record?

Hi @sidusnare

please read

New order -> new token -> new _acme-challenge - record.

You don’t want to do that every 60 - 85 days manual.

Not officially, but there does exist an overlay (little bit comparable with PPAs) with ebuilds for the DNS plugins. Edit: or perhaps án ebuild. Can’t find one with all the plugins.

Info about overlays: https://wiki.gentoo.org/wiki/Layman (Layman is a very handy tool to manage overlays)

For NSOne there does exist an official package: https://packages.gentoo.org/packages/app-crypt/certbot-dns-nsone

@sidusnare Does your DNS provider have some kind of API? See this list of supported DNS providers (i.e., where a certbot plugin exists for) from the documentation of certbot: https://certbot.eff.org/docs/using.html#dns-plugins
If your DNS provider isn’t listed or doesn’t provide an API for which a plugin exists (RFC 2136), you’ll need to use the manual plugin with -a manual.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.