Dry run: failed with error: Input the webroot for new.subdomain

My domain is:


I ran this command:
sudo certbot certonly --cert-name dev.insurebox.co -d dev.insurebox.co,dashboard.insurebox.co
And Then:
certbot renew --dry-run
It produced this output:

Processing /etc/letsencrypt/renewal/dev.insurebox.co.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dashboard.insurebox.co
http-01 challenge for dev.insurebox.co
Cleaning up challenges
Attempting to renew cert (dev.insurebox.co) from /etc/letsencrypt/renewal/dev.insurebox.co.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dashboard.insurebox.co:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dev.insurebox.co/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
Node.js + Express
The operating system my web server runs on is (include version):
Debian 10
My hosting provider, if applicable, is:
Google compute engine
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0

How to I provide the same webroot to both subdomains?

1 Like

That should have been remembered the first time you ran certbot. Perhaps a bug in certbot, but your version 0.31 is already ancient. Thanks Debian!. Could you please upgrade certbot to a newer version?

1 Like

Ah, I think @Osiris is right. This looks like https://github.com/certbot/certbot/issues/7048.

I guess you could try restore webroot_map to the conf file.

3 Likes

Seems to be fixed in 0.35.0 :slight_smile:

1 Like

How did it know to use webroot?
Were you trying to add an FQDN to an existing cert?
Is there anything you haven't told us?

1 Like

Bingo! From that I've read in the certbot almanac, if you're creating a certificate with identical subjects to an existing certificate, certbot will draw upon the
configuration for that certificate to fill in the holes.

1 Like

...ah...
Why do I suddenly feel full of holes?

1 Like

Because you're secretly a Swiss Cardinal? :thinking:

2 Likes

I saw what you did there:
Swiss as in hole-filled (like their famous cheese!)
And Cardinal as in religiously Holy!
Holy holey!

But now the secret is out!

1 Like

:grin: You got me. :grin:

How did it know to use webroot?

It asked me when I ran certbot certonly

Were you trying to add an FQDN to an existing cert?

Yes.

Is there anything you haven't told us?

No.

1 Like

I am following the documentation on https://certbot.eff.org/docs/install.html and the recommended way suggests me to install via apt-get. When I upgraded via apt, I got this:

certbot is already the newest version (0.31.0-1).

I'm not from an Ops background. I'm a developer.

1 Like

Hello :slightly_smiling_face:

apt-get frequently cannot acquire the newest version of certbot. Try using the snap installation if you can.

2 Likes

As for your certbot command...

If the two domain names have the same webroot path (i.e. the full path to the directory containing the index file), determine it then run:

sudo certbot certonly \
--cert-name dev.insurebox.co \
-a webroot \
-w *webroot path* \
-d dev.insurebox.co,dashboard.insurebox.co

If the two domain names have different webroot paths, determine them then run:

sudo certbot certonly \
--cert-name dev.insurebox.co \
-a webroot \
-w *dev.insurebox.co webroot path* \
-d dev.insurebox.co \
-w *dashboard.insurebox.co webroot path* \
-d dashboard.insurebox.co

It should then be safe to run:
sudo certbot renew --dry-run

1 Like

Thanks for the answer, I tried both approaches. When I tried the first command, specifying the same webroot for both, I still got the same error. Then I tried the second command specifying the same webroot in both of the -w flags and the error changed to:

Attempting to renew cert (dev.insurebox.co) from /etc/letsencrypt/renewal/dev.insurebox.co.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for dashboard.insurebox.co:
Choices: ['Enter a new webroot', '/path/to/my/project']

And I think I've reached my limit of 5 certs per 7 days...

2 Likes

Snap also gives me the same version. When I try to upgrade (refresh), I get: snap "certbot" has no updates available

1 Like

Did you remove the previous version(s) of certbot?

What says certbot --version?

Might you post the two exact commands you used?

1 Like

Did you remove the previous version(s) of certbot?

Yes. I uninstalled it and then installed it again. Still,

What says certbot --version ?

certbot 0.31.0

Might you post the two exact commands you used?

sudo certbot certonly --cert-name dev.insurebox.co \
-a webroot \
-w path/to/my/public/folder \
-d dev.insurebox.co,dashboard.insurebox.co
sudo certbot certonly --cert-name dev.insurebox.co \
-a webroot \
-w path/to/my/public/folder \
-d dev.insurebox.co \
-w path/to/my/public/folder \
-d dashboard.insurebox.co

Still getting the same error: Input the webroot for dashboard.insurebox.co:. Skipping.

Note: When I ran sudo snap remove certbot and then sudo snap install certbot --classic, it said: certbot 1.8.0 from Certbot Project (certbot-eff✓) installed, but still certbot version shows as 0.31.0. I'm confused.

1 Like

Okay, my bad, I also had to run apt-get remove certbot and then installed certbot from snap. That installed the correct version. Now Everything works. The error is gone. I can dry run renew without any errors!
Thanks a lot for your help...

2 Likes

Glad you got it working. A happy conclusion.

:partying_face:

1 Like