--csr and webroot-path webroot-map errors

Using latest letsencrypt 0.2.0 client on CentOS 6.7 trying to setup a ECDSA cert on staging and seem to have problem passing a variable ${vhostname} in bash shell to the webroot path using either --webroot-path or --webroot-map

yeah i know this is a bug https://github.com/letsencrypt/letsencrypt/issues/1989

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-path /home/nginx/domains/${vhostname}/public   
The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('--webroot-path must be set',)

maybe due to webroot-map settings encased in single quotes but tried double quotes and same problem

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map '{"${vhostname}": "/home/nginx/domains/${vhostname}/public"}'
The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(u'/home/nginx/domains/${vhostname}/public does not exist or is not a directory',)

there’s no problem if i hardcode the webroot-map settings, but then again i am scripting this for automation with my LEMP stack and nginx vhost generator for HTTP/2 SSL

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map '{"le20.http2ssl.xyz": "/home/nginx/domains/le20.http2ssl.xyz/public"}'    

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /usr/local/nginx/conf/ssl/le20.http2ssl.xyz/0003_chain.pem. Your
   cert will expire on 2016-04-16. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ideally a fix for the --webroot-path bug would be the ideal solution here :slight_smile:

and if u 1st set a full path_var then pass to LE ?
like —crs ${crspath} --webrot-map ${wrm}

if i try

WEBROOTMAP="'{"${vhostname}": "/home/nginx/domains/${vhostname}/public"}'" 

i’ll get the error

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map $WEBROOTMAP
usage: 
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins
letsencrypt: error: argument --webroot-map: invalid <lambda> value: "'{le20.http2ssl.xyz:"

if i try to escape the required double quotes

WEBROOTMAP="'{\"${vhostname}\": \"/home/nginx/domains/${vhostname}/public\"}'"

i get error

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map $WEBROOTMAP
usage: 
  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins
letsencrypt: error: argument --webroot-map: invalid <lambda> value: '\'{"le20.http2ssl.xyz":'

Got the solution:

WEBROOTMAP="{\"${vhostname}\": \"/home/nginx/domains/${vhostname}/public\"}"

(without the single quotes)

And for the CLI:

letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map "$WEBROOTMAP"

Double quotes around $WEBROOTMAP. Apparently, you’ve got to encase the variable on the command line between quotes and not in the variable itself and single quotes will prevent the parsing of the variable to the value: double quotes do not prevent this parsing.

1 Like

awesome thanks @Osiris that worked nicely :+1:

interesting i noticed after a few re-runs on the letsencrypt client, the generated *_chain.pem returns back to same number ?

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /root/0001_chain.pem. Your cert will expire on 2016-04-16. To
   obtain a new version of the certificate in the future, simply run
   Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

prior to the last run, the 0005_chain.pem was latest but after this run it goes back to 0001_chain.pem

ls -lAhrt /usr/local/nginx/conf/ssl/${vhostname} | grep pem
-rw-r--r-- 1 root root  359 Jan 17 08:36 le20.http2ssl.xyz-privkey-p384.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:07 0001_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:07 0000_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:07 0000_cert.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:07 0003_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:07 0002_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:07 0001_cert.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:25 0005_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:25 0004_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:25 0002_cert.pem

so there’s only 3 rotations for full chane 0001, 0003 and 0005 pem files right ? the dates on those files don’t seem to be changing when i go through 3+ runs