Changing --webroot_path configuration before renewal?



We’re evaluating whether certbot will suit our needs for issuing certificates in a shared hosting environment.

In our configuration, there are cases when the Document Root for a domain name may change after a certificate has been issued. In order to support automatic cert renewal, we would like to be able to update the configured --webroot-path for a domain name without reissuing or renewing a certificate for that domain name.

Is there a way to use certbot to modify the stored renewal configuration without actually renewing a certificate?

Nothing we’ve tried so far works, and nothing in the documentation suggests this is possible, but I wanted to be absolutely sure we aren’t missing something.


How to regenerate renewal config file?


There is no way to use Certbot to do this (the only time it saves an update to the configuration is when actually obtaining a certificate). But you should be able to directly edit the renewal configuration file in /etc/letsencrypt/renewal, which is where Certbot obtains the webroot path from.


Nothing sed can’t handle I recon :wink:



Yes, we can modify config files in place since it’s necessary, but if there was a better tool for the job I’d prefer to use that. Direct file modification is fragile in the face of config format changes.


If you want to do your own Python scripting, we can describe how to use the configobj library that Certbot uses internally for this. But I’m sorry to say that Certbot doesn’t expose any kind of API for this task.



I will be looking into how to use the Python library for this, so if you have any pointers that would be greatly appreciated. We’re not a native Python shop, so we’ll be weighing the cost of maintaining python code with the cost of updating our own code if the config format ever changes.


In the current format, it looks something like this:

import configobj

renewal_config = configobj.ConfigObj("/etc/letsencrypt/renewal/")
renewal_config["renewalparams"]["webroot_path"] = "/new/webroot/path"

This would need to be run as a user with permission to write to the renewal configuration file, or else you’ll get an IOError in response to the .write() call.

Also, this doesn’t include any kind of error checking, just shows the basic operations that need to be performed in order to update the webroot_path.

It’s true that if the underlying configuration file format used by Certbot changed, this might no longer work, though I can point out that we’ve been reluctant to make such changes because of the problems they might pose to backwards compatibility. (Also, you’ll want to be sure that configuration files that you update this way use webroot_path and not webroot_map.)



Reading the configobj docs, it looks like this is not a widely used config format, though it is very similar to .ini format.

My current testing conf file contains both a webroot_path and a webroot_map, so I’ll need to make sure to update them both.


I think the webroot_map will appear as a Python dict object (corresponding to an associative array, hash, map, or hashmap from other programming languages’ terminology).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.