Certbot renew not working when testing

JuergenAuer · August 13, 2019, 9:01am

Please check the options:

Use "other"

Bob_Swede · August 13, 2019, 10:33am

I don't see any "options" and I do not see any reference to "Other".
In what context do you mean "other"?

I see selection boxes in which I have selected Apache in the first and Ubuntu 18.04 LTS in the other. Then the page changes appearance but still no Other or Options.

JuergenAuer · August 13, 2019, 1:01pm

There

is an "Ubuntu (other)".

Bob_Swede · August 13, 2019, 1:32pm

OK thanks!
Do I need to first uninstall certbot which I got from apt and start over with certbot-auto?
In that case will by certs disappear?

Bob_Swede · August 13, 2019, 2:17pm

I went ahead and followed the instructions to install certbot-auto through wget.
After I was done I ran the renew command but this time using certbot-auto (which is version 0.37.1 while certbot is at 0.31.0):

$ sudo certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/svn.boberglund.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for svn.boberglund.com
Cleaning up challenges
Attempting to renew cert (svn.boberglund.com) from /etc/letsencrypt/renewal/svn.boberglund.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for svn.boberglund.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

As you can see it fails much the same as certbot did. It still seems like it won’t recognize the webroot I edited into the conf file…

The conf file (/etc/letsencrypt/renewal/svn.boberglund.com.conf) reads as follows:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/svn.boberglund.com
cert = /etc/letsencrypt/live/svn.boberglund.com/cert.pem
privkey = /etc/letsencrypt/live/svn.boberglund.com/privkey.pem
chain = /etc/letsencrypt/live/svn.boberglund.com/chain.pem
fullchain = /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem
webroot-path = /var/www/svn.boberglund.com/public_html

# Options used in the renewal process
[renewalparams]
account = b5058df1c-xxxxxx-fe263dcd9e9
pref_challs = http-01,
authenticator = webroot
webroot-path = /var/www/svn.boberglund.com/public_html
server = https://acme-v02.api.letsencrypt.org/directory

As you can see the webroot is actually entered twice in this file but it still cannot find the setting…

mnordhoff · August 13, 2019, 2:31pm

cli.ini and renewal configuration files don’t use exactly the same syntax.

The file should be something like:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/svn.boberglund.com
cert = /etc/letsencrypt/live/svn.boberglund.com/cert.pem
privkey = /etc/letsencrypt/live/svn.boberglund.com/privkey.pem
chain = /etc/letsencrypt/live/svn.boberglund.com/chain.pem
fullchain = /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b5058df1c-xxxxxx-fe263dcd9e9
pref_challs = http-01,
authenticator = webroot
webroot_path = /var/www/svn.boberglund.com/public_html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
svn.boberglund.com = /var/www/svn.boberglund.com/public_html
video.boberglund.com = /some/path

The webroot_path setting should be unnecessary if the webroot_map section is filled out for every hostname in the certificate. (Conversely, I think you can leave out the webroot_map section, but Certbot doesn’t when generating files itself.)

Bob_Swede · August 13, 2019, 4:37pm

Thanks a million!
After the edits you suggested the command:
sudo certbot-auto renew --dry-run
finished successfully!
Last remaining item is to set up the automatic renewal which is somewhat strangely described as executing:
$ echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null
Will this actually work as a normal user, shouldn’t it be preceded by sudo?
Why is not crontab -e used instead?
And what exactly does this do?

system · September 12, 2019, 4:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.