Certbot only create acme challenge the first time when using --dry-run

The issue is that acme challenge file is created only for the first time I execute the --dry-run. The next times are not created. This happens each time I use a new subdomain to issue its certificate. All of them are created the acme challenge file for only the first time I run the --dry-run parameter. The next times are not created. So, after testing with --dry-run, If I try to run to issue the certificate with no --dry-run parameter, the acme challenge file is not created :frowning:

My domain is:

I ran this command:
sudo certbot certonly --webroot --agree-tos --no-eff-email --email myemail@gmail.com --webroot-path /var/www/letsencrypt -d upload-dev.comunidad.click --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
- The dry run was successful.

But must produce this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for upload-dev.comunidad.click
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
- The dry run was successful.

My web server is (include version):
Nginx 1.14

The operating system my web server runs on is (include version):
Ubuntu 18.04.2 server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. CLI only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Let’s Encrypt supports authorization reuse: After an ACME account has validated a name, for a certain amount of time – currently 30 days – it won’t have to validate it again.

(ACME clients shouldn’t rely on reuse, and must always be prepared to validate, but it’s a still a pleasant optimization, even when treated as optional.)

Is it causing a problem for you? Why do you need to validate every time? Or, why do you need the challenge files to be created every time? Are you getting some kind of error?

The production environment, and the staging environment used by --dry-run, have separate databases. They don’t share accounts or authorizations. That shouldn’t be possible.

Certbot has an open issue and pull request about avoiding authz reuse when using --dry-run, since people usually want to use --dry-run to test validation, so avoiding validation just makes life harder.

But I don’t understand why it matters to you either way.

I need to try with --dry-run because I was configuring the “well-known” nginx’s location block and I need to verify if the challenge file was created successfully. And on another server with certbot 0.28.0, the challenge file is created each time I execute with --dry-run.

Any way… I’ve issued the certificate for https://upload-dev.comunidad.click/ and get the error (with Firefox): PR_END_OF_FILE_ERROR

I don’t know what is the meaning, and i dont know if the problem was that the challenge file is not created to verify host.

1 Like

I have error on https://upload1-dev.comunidad.click/ because is trying to get ssl for panel-dev.comunidad.click but the configuration is:

ssl_certificate /etc/letsencrypt/live/upload1-dev.comunidad.click/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/upload1-dev.comunidad.click/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/upload1-dev.comunidad.click/fullchain.pem;

So, I dont know why is failing.

1 Like

Hi @nacesprin

did you restart your server?

What says

nginx -T
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.