April
January 24, 2024, 10:29am
1
My domain is: egnyte-appliance.com
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.40.1
I noticed that the config_dir
and work-dir
specified in the renewal config file is broken on my machine. It seems the path is relative to some temporary path that no longer exists.
Is there some way I can change this with certbot
command during renewal ? I was looking in the certbot reconfigure
options but could not find option to change those. Also the certbot version installed on our servers is too old.
I want to change the config-dir and work-dir to a permanent path so that it is no longer broken
rg305
January 24, 2024, 1:03pm
2
April:
certbot 0.40.1
That seems a bit outdated; And might explain why reconfigure
isn't doing what you asked of it.
Please show us the renewal config file.
4 Likes
April
January 25, 2024, 12:59pm
3
Here are the contents for config file of 1 of the certificates
version = 0.40.1
archive_dir = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com/archive/h9qkct2hr8.qa.egnyte-appliance.com
cert = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com/live/h9qkct2hr8.qa.egnyte-appliance.com/cert.pem
privkey = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com/live/h9qkct2hr8.qa.egnyte-appliance.com/privkey.pem
chain = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com/live/h9qkct2hr8.qa.egnyte-appliance.com/chain.pem
fullchain = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com/live/h9qkct2hr8.qa.egnyte-appliance.com/fullchain.pem
[renewalparams]
account = 7c8511db5621db93cef292589a8da0f5
work_dir = /opt/certservice/3.3.0.1645093818/LE/work
config_dir = /opt/certservice/3.3.0.1645093818/LE/config/h9qkct2hr8.qa.egnyte-appliance.com
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
logs_dir = /opt/certservice/3.3.0.1645093818/LE/logs
webroot_path = /usr/share/nginx/html/letsencrypt,
[[webroot_map]]
h9qkct2hr8.qa.egnyte-appliance.com = /usr/share/nginx/html/letsencrypt
The trouble is that this /opt/certservice/<version-number>
keeps changing with different releases of the service
1 Like
rg305
January 25, 2024, 1:03pm
4
Are you forced to use that changing path?
Can you bolt it down [somehow]?
3 Likes
April
January 25, 2024, 1:04pm
5
Nope, no one is forcing us.
The original author of the service didn't pay attention to this so it was a changing path.
Now, I want to bolt it down to a specific fixed directory
To change these directories in the renewal conf, do I have to tinker with sed
scripting or can reconfigure command help
1 Like
rg305
January 25, 2024, 1:10pm
7
You can use vi
or nano
.
But using reconfigure
would be ideal.
[but that may require using a newer version of certbot
]
3 Likes
April
January 25, 2024, 1:14pm
8
The certservice that we have is a python utility that has been written to issue and renew certificates. And there are hundreds of such certificates so using any manual techniques(vi
) is the last resort.
From the latest certbot help reconfigure
I could not find config-dir
and work-dir
under
reconfigure:
Common options that may be updated with the "reconfigure" subcommand:
1 Like
rg305
January 25, 2024, 1:16pm
9
Yeah... I'm not too familiar with that option.
[it would be great - if it does what you need]
I'd setup a more permanent path and then update the python code to use that fixed path instead.
3 Likes
rg305
January 25, 2024, 1:18pm
10
You could also dig deeper into how certbot
uses environment variables.
And set that changing version as a system-wide variable.
3 Likes
April
January 25, 2024, 4:09pm
12
I just hope that reconfigure
accepts config-dir
and work-dir
option and sets those values in renewal.conf
April
January 25, 2024, 4:31pm
13
No luck
certbot
requires the original config-dir
path to work with so I can't provide new config-dir
April
February 7, 2024, 2:25pm
14
Any more suggestions here on how may I achieve this ?
MikeMcQ
February 7, 2024, 3:14pm
15
What about not using --config-dir at all and just let Certbot use its default folders which are /etc/letsencrypt/...
Then, use a --deploy-hook to copy newly issued certs to your needed destination
Instead of deploy-hook you could even have a new script that runs daily to copy all certs from /etc/letsencrypt folders to your needed location
Or, can you setup a symlink from the current config-dir to something else
Then, refresh that symlink whenever your needed target destination changes?
3 Likes
April
February 16, 2024, 3:07pm
16
Without those options, will the renewal work ?
rg305
February 16, 2024, 4:05pm
17
Renewals are not contingent on deploy-hooks
[which happen AFTER a cert has been renewed].
The renewal should use the information stored in the renewal config file.
2 Likes
April
February 22, 2024, 12:17pm
18
That means, since my renewal config is pointing to broken links, I don't have any other option ?
rg305
February 22, 2024, 3:08pm
19
I don't understand what you mean by:
Please show that renewal config file.
2 Likes
April
February 22, 2024, 4:01pm
20
# renew_before_expiry = 30 days
version = 1.23.0
archive_dir = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/archive/j99ve1iw62.qa.egnyte-appliance.com
cert = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/cert.pem
privkey = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/privkey.pem
chain = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/chain.pem
fullchain = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 93b2d96a3016cc8f280796c89e7b4a8d
config_dir = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com
work_dir = /opt/certservice/3.3.0.1652419071/LE/work
logs_dir = /opt/certservice/3.3.0.1652419071/LE/logs
authenticator = webroot
webroot_path = /usr/share/nginx/html/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
j99ve1iw62.qa.egnyte-appliance.com = /usr/share/nginx/html/letsencrypt
The config_dir
and work_dir
may point to directories that no longer exists as 3.3.0...
could have been changed to something else, after last renewal
rg305
February 22, 2024, 4:08pm
21
Can they all be copied/moved back to that path?
2 Likes