April
January 24, 2024, 10:29am
1
My domain is: egnyte-appliance.com
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.1
I noticed that the config_dir and work-dir specified in the renewal config file is broken on my machine. It seems the path is relative to some temporary path that no longer exists.
Is there some way I can change this with certbot command during renewal ? I was looking in the certbot reconfigure options but could not find option to change those. Also the certbot version installed on our servers is too old.
I want to change the config-dir and work-dir to a permanent path so that it is no longer broken
rg305
January 24, 2024, 1:03pm
2
April:
certbot 0.40.1
That seems a bit outdated; And might explain why reconfigure isn't doing what you asked of it.
Please show us the renewal config file.
4 Likes
April
January 25, 2024, 12:59pm
3
Here are the contents for config file of 1 of the certificates
version = 0.40.1
[renewalparams]https://acme-v02.api.letsencrypt.org/directory h9qkct2hr8.qa.egnyte-appliance.com = /usr/share/nginx/html/letsencrypt
The trouble is that this /opt/certservice/<version-number> keeps changing with different releases of the service
1 Like
rg305
January 25, 2024, 1:03pm
4
Are you forced to use that changing path?
3 Likes
April
January 25, 2024, 1:04pm
5
Nope, no one is forcing us.
Now, I want to bolt it down to a specific fixed directory
To change these directories in the renewal conf, do I have to tinker with sed scripting or can reconfigure command help
1 Like
rg305
January 25, 2024, 1:10pm
7
You can use vi or nano.
But using reconfigure would be ideal.certbot]
3 Likes
April
January 25, 2024, 1:14pm
8
The certservice that we have is a python utility that has been written to issue and renew certificates. And there are hundreds of such certificates so using any manual techniques(vi) is the last resort.
From the latest certbot help reconfigure I could not find config-dir and work-dir under
reconfigure:
Common options that may be updated with the "reconfigure" subcommand:
1 Like
rg305
January 25, 2024, 1:16pm
9
Yeah... I'm not too familiar with that option.
I'd setup a more permanent path and then update the python code to use that fixed path instead.
3 Likes
rg305
January 25, 2024, 1:18pm
10
You could also dig deeper into how certbot uses environment variables.
3 Likes
April
January 25, 2024, 4:09pm
12
I just hope that reconfigure accepts config-dir and work-dir option and sets those values in renewal.conf
April
January 25, 2024, 4:31pm
13
No luck certbot requires the original config-dir path to work with so I can't provide new config-dir
April
February 7, 2024, 2:25pm
14
Any more suggestions here on how may I achieve this ?
MikeMcQ
February 7, 2024, 3:14pm
15
What about not using --config-dir at all and just let Certbot use its default folders which are /etc/letsencrypt/...
Then, use a --deploy-hook to copy newly issued certs to your needed destination
Instead of deploy-hook you could even have a new script that runs daily to copy all certs from /etc/letsencrypt folders to your needed location
Or, can you setup a symlink from the current config-dir to something else
Then, refresh that symlink whenever your needed target destination changes?
3 Likes
April
February 16, 2024, 3:07pm
16
Without those options, will the renewal work ?
rg305
February 16, 2024, 4:05pm
17
Renewals are not contingent on deploy-hooks [which happen AFTER a cert has been renewed].
2 Likes
April
February 22, 2024, 12:17pm
18
That means, since my renewal config is pointing to broken links, I don't have any other option ?
rg305
February 22, 2024, 3:08pm
19
I don't understand what you mean by:
Please show that renewal config file.
2 Likes
April
February 22, 2024, 4:01pm
20
# renew_before_expiry = 30 days
version = 1.23.0
archive_dir = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/archive/j99ve1iw62.qa.egnyte-appliance.com
cert = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/cert.pem
privkey = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/privkey.pem
chain = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/chain.pem
fullchain = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com/live/j99ve1iw62.qa.egnyte-appliance.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 93b2d96a3016cc8f280796c89e7b4a8d
config_dir = /opt/certservice/3.3.0.1652419071/LE/config/j99ve1iw62.qa.egnyte-appliance.com
work_dir = /opt/certservice/3.3.0.1652419071/LE/work
logs_dir = /opt/certservice/3.3.0.1652419071/LE/logs
authenticator = webroot
webroot_path = /usr/share/nginx/html/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
j99ve1iw62.qa.egnyte-appliance.com = /usr/share/nginx/html/letsencrypt
The config_dir and work_dir may point to directories that no longer exists as 3.3.0... could have been changed to something else, after last renewal
rg305
February 22, 2024, 4:08pm
21
Can they all be copied/moved back to that path?
2 Likes
