It seems that our cert configuration files are all now invalid after moving LE to a new server. We have about 600 certs, so I'm not trying to make this more complex than it needs to be.
But now that we've moved our certbot to a new server, we are forwarding requests to the acme path via HAProxy to the LE server. But it seems that all of our domain configuration files have to be updated to the following:
Is my understanding correct, or is there an easy way to default the renewal to use standalone when calling:
certbot renew
We are also seeing this message, if it has any relevance. Certbot was installed via apt get:
certbot/focal-updates,now 0.40.0-1ubuntu0.1 all [installed]
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/zoomiescrew.org.conf with version 0.40.0 of Certbot. This might not work.
What's the best course of action? I've very likely missing something obvious. Should we delete and register the certs again on the new server instead of copying the entire /etc/letsencrypt directory over? Is there a way to renew each cert and update the config file, or do we have to edit the config files manually?
That sounds like multiple versions of certbot are (or have been) installed.
Please be sure to only use one version (preferably the newest one).
You haven't really explained the problem well enough for me to be able to determine any action.
There is no need to delete a cert, you can simply renew them.
Renewal can update the config; there is no need to manually edit anything.
You seem to be changing from a web service (using webroot) on port 8888 to no web service at all.
If that is the case, then copying the entire path would provide usable certs.
Then you can manually renew each cert and provide the modifications within that renewal request. --standalone --http-01-port 80
The problem is that our certs don't renew on our new server because certbot is using the domain configuration of webroot when we've switched to using standalone on our new LE server.
I don't believe there's multiple versions. The 0.40.0 version is what was installed via Apt. The old server used certbot-auto. The version is in the configuration file. That was the version of certbot-auto on the old server.
When I ran the certbot certonly --standalone command to renew one of the domains it created a new configuration file and said it was registering a new domain. Seems like it ignored the existing config (maybe because the it was webroot and not standalone?).
So, the cert wasn't renewed but rather re-registered. I'm hoping there is an action that will update all of the configuration files to use standalone instead of webroot.
You have to renew each cert by using the exact same set of names.
e.g. If www.example.com & example.com were both on the cert then use both names on the renewal request - if you try to renew using only one of those names, then a new cert will be created for the single name.
So we manually renewed a cert and the configuration was updated! This is great, thank you so much.
Now we just have to figure out how to do this effectively within the renewal period since we can only renew ~5 per 7 days according to the message from certbot if it's not close to expiry:
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week.
Although, technically correct, it seems highly unlikely (if not impossible) to renew the exact same "Duplicate Certificate" with the normal certbot renew process (without the added use of "force").