Certbot Plopping Renewals into /

My domain is:

delphi-real-estate.com

I ran this command:

certbot certonly --standalone --agree-tos --email colony.three@protonmail.ch --renew-by-default --domains delphi-real-estate.com --csr /etc/letsencrypt/csr-delphi-real-estate.com.csr --keep

It produced this output:

Aug 22 09:03:46 quantum.darkmatter.org letsencrypt-renew[2075]: + certbot certonly --standalone --agree-tos --email colony.three@protonmail.ch --renew-by-default --domains delphi-real-estate.com --csr /etc/letsencrypt/csr-delphi-real-estate.com.csr --keep
Aug 22 09:03:46 quantum.darkmatter.org letsencrypt-renew[2075]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Aug 22 09:03:47 quantum.darkmatter.org letsencrypt-renew[2075]: Plugins selected: Authenticator standalone, Installer None
Aug 22 09:03:47 quantum.darkmatter.org letsencrypt-renew[2075]: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Aug 22 09:03:49 quantum.darkmatter.org letsencrypt-renew[2075]: Performing the following challenges:
Aug 22 09:03:49 quantum.darkmatter.org letsencrypt-renew[2075]: tls-sni-01 challenge for delphi-real-estate.com
Aug 22 09:03:49 quantum.darkmatter.org letsencrypt-renew[2075]: tls-sni-01 challenge for www.delphi-real-estate.com
Aug 22 09:03:49 quantum.darkmatter.org letsencrypt-renew[2075]: Waiting for verification...
Aug 22 09:03:53 quantum.darkmatter.org letsencrypt-renew[2075]: Cleaning up challenges
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Server issued certificate; certificate written to /0002_cert.pem
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Cert chain written to
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Cert chain written to
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: IMPORTANT NOTES:
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: - Congratulations! Your certificate and chain have been saved at:
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: /0005_chain.pem
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Your cert will expire on 2018-11-20. To obtain a new or tweaked
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: version of this certificate in the future, simply run certbot
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: again. To non-interactively renew all of your certificates, run
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: "certbot renew"
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: - If you like Certbot, please consider supporting our work by:
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
Aug 22 09:03:55 quantum.darkmatter.org letsencrypt-renew[2075]: + '[' '!' -f -o '!' -f -o '!' -f ']'

My web server is (include version):

httpd
Version : 2.4.6
Release : 80.el7.centos.1
Architecture: x86_64

The operating system my web server runs on is (include version):

CentOS v7.5

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

What would possess certbot to plop my renewed certs in /, with all the wrong names and no symlinks? Just barely got my renewal script running, and then finally got my systemd timer working but now this weird behavior. I am so close...

When you use the --csr option, it puts the files in the current directory and doesn't set up symlinks or automatic renewal. In the timer, the current directory must be /.

Would it be practical to stop using --csr? Recent versions of Certbot have a --reuse-key option.

The --csr option causes a lot of Certbot functions to behave differently. Usually, if you can avoid this, it’s a good idea to do so.

Yikes, there's a --reuse-key now? No more need for a .csr?

Do I need to stop Apache?

Do I dare run this with the corrected command even though I've just gotten a set of certs?

certbot certonly --standalone --agree-tos --email colony.three@protonmail.ch --renew-by-default --domains delphi-real-estate.com --reuse-key --keep

Also something seems to be wrong with my failure email function:

if [ ! -f ${FULLCHAIN} -o ! -f ${CHAIN} -o ! -f ${CERT} ]; then
cat ${OUT} | mail -s "TLS Cert Update Fail for delphi-real-estate.com" postmaster@delphi-real-estate.com
fi

"/usr/local/bin/letsencrypt-renew: line 28: [: too many arguments"

In desperation I went ahead and ran it. This time it seems to have worked but put the new certs in delphi-real-estate.com-0001
instead of delphi-real-estate.com . So nothing can find them now.

How do I set httpd and postfix to account for this incrementing directory structure?

The -0001 usually means you used a different set of (sub)domains… try certbot certificates to see what domains were on the original certificate. If you use the same set of domains it should put the cert in the same place.

If you really want to replace the existing certificate with a new one with different set of domains, you can use the --cert-name option to force it to use a particular subdirectory.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.