My crontab has the following entry:
0 6 * * * /etc/letsencrypt/certbot-auto renew --text >> /etc/letsencrypt/certbot/certbot-cron.log &;&; sudo service nginx reload
However, doing a dry run gave me the following errors:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for macquarierealestate.com
http-01 challenge for www.macquarierealestate.com
Using the webroot path /data/test/www for all unmatched domains.
Waiting for verificationā¦
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0029_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0029_csr-certbot.pem
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā¦ Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā¦ Skipping.
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/swoose.net.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CAā¦ Skipping.
** DRY RUN: simulating ācertbot renewā close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (failure)
/etc/letsencrypt/live/swoose.net/fullchain.pem (failure)
I donāt understand why, with certbot-auto enabled, one certificate is OK but the remainder (all on the same webserver), arenāt OKā¦?
Hmm, well the one thatās working is using webroot, maybe the others are using the nginx authenticator. But certbot-auto should have updated itself to a version where that wonāt matter. Did you disable its self-upgrade functionality somehow? Perhaps in /etc/letsencrypt/cli.ini?
Switching the authenticator to webroot should work, but it might be a bit complicated since youāve explicitly set a webroot in cli.ini for some reason, so unless all your domains use the same webroot, youāll have to remove that and set the webroot for each site in its own renewal configuration instead.
It would probably be better to get certbot-auto to upgrade itself, if you can, though Iām not sure what else to suggest as thatās supposed to happen automatically
Changed all the confs to use webroot and grep still shows nothing, but:
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (success)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (success)
/etc/letsencrypt/live/swoose.net/fullchain.pem (success)
So I assume that it wanted webroot as an authenticator...?
Should I remove the entry in /etc/letsencrypt/cli.ini?
[EDIT]
Removed the entry and then authentication failed with:
Attempting to renew cert from /etc/letsencrypt/renewal/cfz.com.au.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for cfz.com.au:
Choices: [āEnter a new webrootā]
(You can set this with the --webroot-path flag). Skipping.
Even though there is a webroot_path = /data/test/www, in the conf, so I have put it back in the cli.ini
That doesn't look like a recent version of Certbot. Those two messages got downgraded to a lower log level or removed like last year...
/etc/letsencrypt/renewal/ configuration files using the webroot plugin have a whole [[webroot_map]] section. I don't think they use webroot_path at all.