Certbot renewal for certonly --manual certs


#1

I’m using a certificate obtained with the command

certbot certonly --webroot

for multiple domain names hosted on my Debian server, each with a different document root.

During the request process, I specified all the domain names and the document roots for the .well-known directories.

My first renewal is due in a few days, and out of curiosity I peeked at the letsencrypt configuration files. I can’t find where the document roots are specified, and I’m wondering how certbot will handle the ACME autentication without this information.

Also, if I start hosting a new domain, is there a way to repeat the certificate request with the exact same settings I put in the interactive GUI the last time I ran it, but adding a new FQDN and document root, without repeating the whole interactive procedure? I’m guessing (hoping?) that certbot automatically saves the configuration somewhere.


#2

When you say “due in a few days” I hope you mean that the certificates expire in, say, October, and you plan to renew them shortly rather than that they actually expire in just a few days, as I’d recommend renewing some time before expiry in case anything goes wrong, especially the first time.

Because you used manual mode, you will need to perform all the steps again in full to “renew”. A renewed certificate is basically just a completely new certificate except it has fresh dates in it. There is no automated renewal in manual mode since “automated” and “manual” are opposites. If you want automation you will need to find a way (either with certbot or with another client) to actually automate the ACME domain validation steps. I am sorry if this wasn’t clear to you from the documentation.


#3

Yes, I meant exactly that! :slight_smile:

About the renewal and the other question: I must apologize, I made an unforgivable error in my first post. I did not use the --manual flag, but the --webroot flag.

I hope both my questions make more sense now. I’m editing the original question to reflect the right situation.

EDIT: I confirm that the web roots are indeed not saved by certbot! Forcing a renew results in an error because of the missing webroots. Is there a way to save them in a configuration file somewhere or do I have to specify them in the command line?


#4

Update - I decided to request a reissue of my certificate. This time, I specified the webroots and the domain from the command line, and it correctly set up the renewal configuration file.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.