General question

First off, let me say I read on the LE web pages that if I am running the SNAP version of certbot it should automatically be updated to version 2 when the time comes. That said, I have a couple of questions. I was running version 1.31 and I put it on hold temporarily by stopping and disabling the timer. I bought and am currently using a 1 year certificate from Sectigo (long story). The certificate(s) are in completely different folders from the LE certificates. I haven't moved or done anything to the LE / certbot install.

Can't I re-enable the SNAP / certbot timer and let it continue to update the LE certificates in the LE folders? I plan to switch back to LE when my year runs out and I want to be sure certbot gets updated to version 2 when the time comes.

2nd question - Will version 2 still need the directive "preferred-chain=ISRG Root X1" in cli.ini? (It took several weeks to figure that one out.)

Certbot will get updated to 2.0, regardless of whether the renewal timer is enabled. You can keep the timer disabled as long as you need.

You can also keep it enabled and Certbot will continue to renew your certificate in the background, which shouldn't affect your use of the Sectigo certificate.

Nothing is changing in that respect. The default chain is a choice made by Let's Encrypt, and Certbot follows whatever is offered by default. If (for whatever reason) you need to use the alternative chain via --preferred-chain, you're welcome to keep doing so and it will keep working.

5 Likes

Just to check for myself: even if Certbot is configured using an installer plugin (i.e. --apache or --nginx) and it renews? I'd think Certbot only changes the e.g. SSLCertificateFile directives when it does an installer-thing (i.e.: subcommand run or install) and not when renewing (then it just reloads the webserver), but I'd like confirmation :slight_smile:

5 Likes

That's correct.

Only certbot [run] and certbot install will update SSLCertificateFile in the web server configuration. Renewal will cause a web server reload only.

5 Likes