Error while renewing certificate

Rajesh · September 6, 2018, 10:50am

Hi,

I used the following command for the domains to get the certificate.

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --email mymail@mail.com --manual-public-ip-logging-ok --agree-tos --renew-by-default --preferred-challenges=http -d mydomain.com

That said, we did the domain validation to get the cert. Now I need to renew the certs as they are going to expire. So I ran this command to renew.

./certbot-auto renew --server https://acme-v02.api.letsencrypt.org/directory --manual --email mymail@mail.com --manual-public-ip-logging-ok --agree-tos --renew-by-default --preferred-challenges=http -d mydomain.com

It gives me the following error.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

I have gone through some of the articles and identified that /etc/letsencrypt/cli.ini making the issue. But I don't have that file.

How can I fix this issue?

Thanks
Rajesh

stevenzhu · September 6, 2018, 10:54am

Hi,

That's not the issue. If you want to renew a certificate, please just run ./certbot-auto renew.

However, since you obtained the certificate with manual. You can't renew it without an automation scripts.

May I know what's the reason not using certonly, standalone, apache or nginx to request the certificate in the first place?

Thank you

Rajesh · September 6, 2018, 11:39am

Will that command works for me as I need to complete the domain validation which involves placing some codes at the document root of the web server?

I have used certonly command to get the certificates.

Thanks

stevenzhu · September 6, 2018, 11:41am

That would not....

If you are going to manually put codes on the webserver, please run the command you use to obtain certificate initially again.

Since manual without automated scripts will not work with the renew command.

Thank you

Rajesh · September 6, 2018, 11:49am

Actually, I haven’t mentioned the scripts that I used to do auto-validation. Here is the exact command that used to get the certs.

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --email mymail@mail.com --manual-public-ip-logging-ok --agree-tos --renew-by-default --preferred-challenges=http --manual-auth-hook /export/home/netengr/scripts/authenticator.pl --manual-cleanup-hook /export/home/netengr/scripts/cleanup.pl -d mydomain.com

Both scripts take care of validation and cleaning. Now the command ./certbot-auto renew will works for me?

Thank you.

stevenzhu · September 6, 2018, 11:51am

Yes.

Just run ./certbot-auto renew

Thank you

Rajesh · September 6, 2018, 12:06pm

Thanks! Just have one more query.

./certbot-auto renew command renewing all the domains. Instead of that can we renew the cert for specific domain?

Rajesh · September 6, 2018, 12:12pm

And how it works for SAN certs?

I mean how the validation goes for multiple domains when just ran ./certbot-auto renew command and generate single cert. For individual certs, it stores the document root of web server for the domains and user details at /etc/letsencrypt/renewal/domain_name.conf.
But for SAN certs there is no such kind of information available.

schoen · September 6, 2018, 4:21pm

This is a distinction between using Certbot's --webroot and --manual.

When you use --webroot, you can specify a webroot location with -w and this is saved by Certbot. You can request a certificate for up to 100 different domains and you can use either the same webroot or different webroots. If you use different webroots via multiple -w options, they are all saved (using a configuration feature called webroot_map) so that they can be used for renewal.

When you use --manual with --manual-auth-hook, every aspect of the authentication challenge is the responsibility of the script that you specified (here, authenticator.pl) and not of Certbot. Certbot doesn't know what the authenticator hook script did in order to pass the challenges. From Certbot's perspective, maybe the authenticator hook script created the files itself in the local filesystem, or maybe it created them remotely via FTP, or maybe it called up a human being on the telephone and told the human being how to create the files...

So if you use --manual, then the question is how authenticator.pl knew which webroots to use; and if it did have this information when you obtained the certificate, why wouldn't it know when renewing it?

Rajesh · September 7, 2018, 11:54am

Yep, got it. authenticator.pl contact one more file that has the web root locations of the domains. Now I put the locations there and run the below command.

./certbot-auto renew --cert-name domain_name

Now I’m able to renew the certs. Thanks for the description.

–
Rajesh

system · October 7, 2018, 11:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.