Dry Run of Cert New fails

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kasdivi.com

I ran this command:
certbot renew --dry-run

It produced this output:

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for kasdivi.com

http-01 challenge for theoceanwindow.com

http-01 challenge for wandjbrewers.com

http-01 challenge for www.kasdivi.com

http-01 challenge for www.theoceanwindow.com

http-01 challenge for www.wandjbrewers.com

Cleaning up challenges

Attempting to renew cert (kasdivi.com) from /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:

Input the webroot for kasdivi.com:. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem (failure)

My web server is (include version):
Apache version 2.4.46

The operating system my web server runs on is (include version):
FreeBSD 12.1
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.7.0

When I look at my certificate at /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem. I see that it contains two certificates. I believe I corrupted it in my earlier attempts to get it to autorenew

1 Like
2

Hi @captcurrent

Dry Run of Cert New fails

that's expected if Certbot asks and you don't answer. Change that.

1 Like
3

It never gives me a chance to enter . How do I enter the information to allow auto renew to work?

1 Like
4

Check that config file

there you should be able to add the webroot.

Or you have a wrong -n flag.

https://certbot.eff.org/docs/using.html

1 Like
5

I changed the kasdivi.com.conf to as follows"

renew_before_expiry = 30 days

version = 1.3.0

archive_dir = /usr/local/etc/letsencrypt/archive/kasdivi.com

cert = /usr/local/etc/letsencrypt/live/kasdivi.com/cert.pem

privkey = /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem

chain = /usr/local/etc/letsencrypt/live/kasdivi.com/chain.pem

fullchain = /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem

Options used in the renewal process

[renewalparams]

account = ab7601b5c6dd6709ddad453d581fb3d1

authenticator = webroot

server = https://acme-v02.api.letsencrypt.org/directory

webroot = /usr/local/www/kasdivi.com

I try the dry run again and get the following

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for kasdivi.com

http-01 challenge for theoceanwindow.com

http-01 challenge for wandjbrewers.com

http-01 challenge for www.kasdivi.com

http-01 challenge for www.theoceanwindow.com

http-01 challenge for www.wandjbrewers.com

Cleaning up challenges

Attempting to renew cert (kasdivi.com) from /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:

Input the webroot for kasdivi.com:. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:

/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)
You mention "wrong -n flag." what is this ??

1 Like
6

certbot renew is always noninteractive, regardless of the flags that the user enters.

If you want to be able to answer questions from Certbot about an individual certificate, which looks like it's relevant here, you should renew that individual certificate with certbot certonly.

(I don't know how the certificate got successfully created in the first place without knowing the associated webroot, though.)

7

I think a better idea would be to run

certbot renew --cert-name $CERT_NAME --webroot -w /path/to/webroot

instead of editing renewal files.

($CERT_NAME is the certificate name, get it from certbot certificates)

1 Like
8

9peppe suggestion nailed it I appreciate all the help !!

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.