Cron Job Command for auto renewal


#1

But is the best cron job command for auto cert renewal?

I use following command to run daily:

/usr/bin/certbot certonly --keep-until-expiring

and got error:

Error creating new cert :: Too many certificates already issued for exact set of domains

Seems it renew daily instead before expired.

OS: Fedora 23
Stock RPM installation.

Regards,
Lee


#2

You’re trying to create a new cert with that command. Instead you should be using:
certbot renew

You didn’t renew daily, you created a new certificate daily, which is why you hit the creation limit.

Try renewing instead :wink:


#3

Thanks for your reply,

But when I run cerbot renew, i got follow warning message:

Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.

Any hints?


#4

What exact command did you try? That error suggests you tried specifying a domain. The command is simply:
certbot renew
And nothing else.

It shouldn’t actually renew, since you’re not within 30 days of expiry, but you should get a message saying there’s nothing to renew.


#5

Yes, certbot renew only.

See attached screen:

Below is the config file /etc/letsencrpt/cli.ini:

the default is 2048 (more is better)

rsa-key-size = 4096

plugin

authenticator = webroot

webroot

webroot-path = /var/www/html/

domains

domains = xxx.sample.com

flags

renew is good for automation

renew-by-default

Any hints?


#6

A couple of things come to mind.

“Renew” doesn’t use your cli.ini, it uses /etc/letsencrypt/renewal/your.domain.tld.conf. The settings used will be in there. Don’t mess around with the settings in there without knowing what you’re doing!

Also, I’ll bet that if you poke around in /etc/letsencrypt/live/ and /etc/letsencrypt/renewal/ there’ll be a bunch of domains => your.domain.tld, your.domain.tld_001, your.domain.tld_002, your.domain.tld_003, etc.

When you recreate the same domain instead of renewing, certbot leaves your existing certificate and conf files, and creates a new “001” version. It then creates new files every time, incrementing the suffix. It’s possible that this is confusing the renewal process.

You could try deleting every “your.domain.tld_00*” file and directory and leave only your original “your.domain.tld”, then try “certbot renew” again.

Ensure you don’t delete things willy nilly, as you’ll lose your account hash. You’ll see your account line in your original (and every other) /etc/letsencrypt/renewal/your.domain.tld.conf.

Keep the first certificate, cleans your system of the superfluous files, and try again. Keep in mind you’ll probably get renewal emails for every extra certificate you created. Ignore them. The deleted certs will expire and go away, and you can renew your original as needed.

Good luck!


#7

Seems the live version link to version 6.

Do you mind I delete version 1 to 5?

Or is it better to delete all and create new cert again few days later?

Please kindly advise.


#8

Ah, I see what you mean.

If you don’t mind having “006” at the end of your files, yes, it should be fine to delete the others.

When I first created my certificates, it was early on when “renew” wasn’t available in the client. I managed to accidentally create “001” and “002” versions of my domain certificates, but then the client was updated to the point it could renew.

I was able to delete virtually everything in my letsencrypt directory (except for my account info!) and start again, with my newly created certificate’s renew info now saved. So I know this method worked for me :slight_smile: I received reminder emails that my deleted certificates were expiring, and I just ignored them.

I’m not saying that you should do this, but if I were you, I’d wait 7 days until your limit expires, then I’d delete everything in live and renewal and archive, and start again. Make sure you don’t lose your account info (I can’t remember it’s exact location, I’m at work and away from my server), because I believe Let’s Encrypt’s servers hang on to stuff like your email address while your certs are likely to be valid, and it’ll take months before that expires.

Of course you can use your existing certificates over the coming week. If you set everything up to work from your live directory, everything will still work after you recreate the certificates. :wink:


#9

Unfortunately, that’s not true. I don’t know if it’s a bug or not, but even settings from your renewal configuration are overwritten by settings in your cli.ini.


#10

:astonished:
Really? Oh crap, I didn’t know that. Sorry, @chrislee! I accidentally mislead you!


#11

So what should I do now? Wait 7 days to try again?


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.