The issue is that acme challenge file is created only for the first time I execute the --dry-run. The next times are not created. This happens each time I use a new subdomain to issue its certificate. All of them are created the acme challenge file for only the first time I run the --dry-run parameter. The next times are not created. So, after testing with --dry-run, If I try to run to issue the certificate with no --dry-run parameter, the acme challenge file is not created
My domain is: upload-dev.comunidad.click
I ran this command: sudo certbot certonly --webroot --agree-tos --no-eff-email --email myemail@gmail.com --webroot-path /var/www/letsencrypt -d upload-dev.comunidad.click --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- The dry run was successful.
But must produce this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for upload-dev.comunidad.click
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
My web server is (include version):
Nginx 1.14
The operating system my web server runs on is (include version):
Ubuntu 18.04.2 server
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. CLI only
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0
Let's Encrypt supports authorization reuse: After an ACME account has validated a name, for a certain amount of time -- currently 30 days -- it won't have to validate it again.
(ACME clients shouldn't rely on reuse, and must always be prepared to validate, but it's a still a pleasant optimization, even when treated as optional.)
Is it causing a problem for you? Why do you need to validate every time? Or, why do you need the challenge files to be created every time? Are you getting some kind of error?
The production environment, and the staging environment used by --dry-run, have separate databases. They don't share accounts or authorizations. That shouldn't be possible.
Certbot has an open issue and pull request about avoiding authz reuse when using --dry-run, since people usually want to use --dry-run to test validation, so avoiding validation just makes life harder.
But I don't understand why it matters to you either way.
I need to try with --dry-run because I was configuring the “well-known” nginx’s location block and I need to verify if the challenge file was created successfully. And on another server with certbot 0.28.0, the challenge file is created each time I execute with --dry-run.
