Config files invalid after moving LE to a new server

It seems that our cert configuration files are all now invalid after moving LE to a new server. We have about 600 certs, so I'm not trying to make this more complex than it needs to be.

Our old server used:

http01_port = 8888
authenticator = webroot
webroot_path = /path/to/dir

But now that we've moved our certbot to a new server, we are forwarding requests to the acme path via HAProxy to the LE server. But it seems that all of our domain configuration files have to be updated to the following:

http_01_port = 80
authenticator = standalone
#webroot_path

Is my understanding correct, or is there an easy way to default the renewal to use standalone when calling:

certbot renew

We are also seeing this message, if it has any relevance. Certbot was installed via apt get:

certbot/focal-updates,now 0.40.0-1ubuntu0.1 all [installed]

Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/zoomiescrew.org.conf with version 0.40.0 of Certbot. This might not work.

What's the best course of action? I've very likely missing something obvious. Should we delete and register the certs again on the new server instead of copying the entire /etc/letsencrypt directory over? Is there a way to renew each cert and update the config file, or do we have to edit the config files manually?

Thanks for your help.

That sounds like multiple versions of certbot are (or have been) installed.
Please be sure to only use one version (preferably the newest one).

You haven't really explained the problem well enough for me to be able to determine any action.

There is no need to delete a cert, you can simply renew them.

Renewal can update the config; there is no need to manually edit anything.

You seem to be changing from a web service (using webroot) on port 8888 to no web service at all.
If that is the case, then copying the entire path would provide usable certs.
Then you can manually renew each cert and provide the modifications within that renewal request.
--standalone --http-01-port 80

1 Like

The problem is that our certs don't renew on our new server because certbot is using the domain configuration of webroot when we've switched to using standalone on our new LE server.

I don't believe there's multiple versions. The 0.40.0 version is what was installed via Apt. The old server used certbot-auto. The version is in the configuration file. That was the version of certbot-auto on the old server.

When I ran the certbot certonly --standalone command to renew one of the domains it created a new configuration file and said it was registering a new domain. Seems like it ignored the existing config (maybe because the it was webroot and not standalone?).

So, the cert wasn't renewed but rather re-registered. I'm hoping there is an action that will update all of the configuration files to use standalone instead of webroot.

You have to renew each cert by using the exact same set of names.
e.g. If www.example.com & example.com were both on the cert then use both names on the renewal request - if you try to renew using only one of those names, then a new cert will be created for the single name.

1 Like

You got it! Thank you for that information.

So we manually renewed a cert and the configuration was updated! This is great, thank you so much.

Now we just have to figure out how to do this effectively within the renewal period since we can only renew ~5 per 7 days according to the message from certbot if it's not close to expiry:

Renew & replace the cert (limit ~5 per 7 days)

Thanks again!

1 Like

Renewals DO NOT count towards any rate limit.
You will have to renew them all before they expire (less than 90 days).

However, I would NOT renew them all the same day - try spreading them out a bit :wink:

1 Like

That's incorrect:

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week.

2 Likes

Although, technically correct, it seems highly unlikely (if not impossible) to renew the exact same "Duplicate Certificate" with the normal certbot renew process (without the added use of "force").

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.