Using latest letsencrypt 0.2.0 client on CentOS 6.7 trying to setup a ECDSA cert on staging and seem to have problem passing a variable ${vhostname} in bash shell to the webroot path using either --webroot-path or --webroot-map
letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-path /home/nginx/domains/${vhostname}/public
The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('--webroot-path must be set',)
maybe due to webroot-map settings encased in single quotes but tried double quotes and same problem
letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map '{"${vhostname}": "/home/nginx/domains/${vhostname}/public"}'
The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(u'/home/nginx/domains/${vhostname}/public does not exist or is not a directory',)
there’s no problem if i hardcode the webroot-map settings, but then again i am scripting this for automation with my LEMP stack and nginx vhost generator for HTTP/2 SSL
letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map '{"le20.http2ssl.xyz": "/home/nginx/domains/le20.http2ssl.xyz/public"}'
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/usr/local/nginx/conf/ssl/le20.http2ssl.xyz/0003_chain.pem. Your
cert will expire on 2016-04-16. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
ideally a fix for the --webroot-path bug would be the ideal solution here
letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map $WEBROOTMAP
usage:
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
letsencrypt: error: argument --webroot-map: invalid <lambda> value: "'{le20.http2ssl.xyz:"
letsencrypt certonly --text --agree-tos --renew-by-default --test-cert --email ${EMAIL} --user-agent centminmod-centos6-webroot --csr /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-csr-p384.der --webroot --webroot-map $WEBROOTMAP
usage:
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:
(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
letsencrypt: error: argument --webroot-map: invalid <lambda> value: '\'{"le20.http2ssl.xyz":'
Double quotes around $WEBROOTMAP. Apparently, you’ve got to encase the variable on the command line between quotes and not in the variable itself and single quotes will prevent the parsing of the variable to the value: double quotes do not prevent this parsing.
interesting i noticed after a few re-runs on the letsencrypt client, the generated *_chain.pem returns back to same number ?
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/root/0001_chain.pem. Your cert will expire on 2016-04-16. To
obtain a new version of the certificate in the future, simply run
Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
prior to the last run, the 0005_chain.pem was latest but after this run it goes back to 0001_chain.pem
ls -lAhrt /usr/local/nginx/conf/ssl/${vhostname} | grep pem
-rw-r--r-- 1 root root 359 Jan 17 08:36 le20.http2ssl.xyz-privkey-p384.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:07 0001_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:07 0000_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:07 0000_cert.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:07 0003_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:07 0002_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:07 0001_cert.pem
-rw-r--r-- 1 root root 2.6K Jan 17 09:25 0005_chain.pem
-rw-r--r-- 1 root root 1.1K Jan 17 09:25 0004_chain.pem
-rw-r--r-- 1 root root 1.5K Jan 17 09:25 0002_cert.pem
so there’s only 3 rotations for full chane 0001, 0003 and 0005 pem files right ? the dates on those files don’t seem to be changing when i go through 3+ runs