Changing authenticator from Manual to nginx

Hey Everyone!

I originally installed certs on a particular system with certbot in manual mode. Situations have changed with that server and I’d like to do renewals with the nginx plugin. I’m not sure what the best practice is for this. Can I run certbot commands to make the needed changes? I can’t seem to find the best instructions if so.

I’m willing to do .conf file changes, but I’m curious if I can do something like revoke the current certificates, then run $ sudo certbot --nginx to get a new certificate? Are there any potential issues with this approach?

Thank you very much!

-Ken

My domain is: language.cs.ucdavis.edu

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Do not revoke certificates.

I guess you can just do certbot renew --nginx --dry-run and see what happens. :wink:

I’ve tried some variations on that idea, but here’s what happens. I put a configuration file I thought might be helpful, below.

Thanks for responding!

$ sudo certbot renew --nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (language.cs.ucdavis.edu) from /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

$ cat /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/language.cs.ucdavis.edu
cert = /etc/letsencrypt/live/language.cs.ucdavis.edu/cert.pem
privkey = /etc/letsencrypt/live/language.cs.ucdavis.edu/privkey.pem
chain = /etc/letsencrypt/live/language.cs.ucdavis.edu/chain.pem
fullchain = /etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem

Options used in the renewal process

[renewalparams]
account = xxxxxxx REVOKED xxxxxxxx
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

well, the nginx plugin only supports http-01. maybe add --preferred-challenges=http too? (I don’t know if this option will be understood.)

I don’t know what that means… perhaps “REDACTED” ???

If you think they are causing you any trouble, you could just delete those lines and they will “grow back” on the next successful renewal/issuance.

1 Like

Sorry, yes I had REVOKED on the mind, that should be REDACTED :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.