Configuration reference

My domain is: s.tahvok.com

My web server is (include version): nginx

The operating system my web server runs on is (include version): linux

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.38.0

I’m struggling to find a reference for the renewal configuration files. I’ve been using a standalone configuration so far, but I would like to move to webroot, and I can’t find any official documentation on the configuration and what I need to change to achieve that (such as how to provide the webroot path).

Is there an official reference on the configuration options inside renewal directory?

That’s a good point. I don’t think the Certbot developers intended for people to modify that file manually, to be honest. A lot of the options have surprising names that do not match the CLI arguments, so you can easily mess things up.

This is bad advice because it forces a certificate renewal, but you can apply these changes using an interactive method.

First, confirm that the method works with a dry-run:

certbot renew --cert-name example.com -a webroot -w /path/to/webroot \
--dry-run

If that succeeds, force a real renewal, which will also happen to update your configuration file for you:

certbot renew --cert-name example.com -a webroot -w /path/to/webroot \
--force-renewal

Hi @Tahvok

check

Configuration file

There is a sample. Run your Certbot with the required command options. Then your config file is updated.

The sample is of cli.ini file, not of renewal ini files in the renewal directory

An alternative option would be to issue a new certificate using the staging environment, examine the options saved in its renewal file, copy them, and delete the staging certificate.

Something like:

certbot certonly --duplicate --staging --webroot -w /path/to/webroot -d example.com -d www.example.com ...

(I’m not sure if --duplicate matters.)

That’s also complicated and error-prone, though.

I really do not understand the reason of why can’t we simply edit the configuration file…

You can, that’s not the problem. You must know the correct combinations. To find these, you can use the cli.ini or existing config files.

Which is exactly my question, why is there no official reference and people need to struggle to find the correct configurations by trial and error.

I don’t see a problem. First you should change the config file via a new command. Then you see the result. Then you can use that as a template.

But changing directly without creating a new certificate is always a bad idea.