How to clear out .conf files that "might not work"?

I’m getting a bunch of warnings that “This might not work.” on a series of .conf files for each domain. This is due to the fact that I’ve been trying to get letsencrypt to work according to various instructions, ending up with some from version 1.2.0 hanging around.

How can I start clean with version 0.31.0? Can I just go in and delete all the .conf files under /etc/letsencrypt/renewal/ and try running

# systemctl start certbot.service

?

You should provide more detail/complete error/warning messages.

Until then, I will try to answer your question with the little that is known.

Uninstalling LE and reinstalling another version is rather trivial - when done properly.
[never use the RM command - removing files manually can lead to problems]
So…

Definitely NO.
Do not delete anything manually.
Use commands, like:
certbot delete
[if you need to delete a cert - not likely]
and then undo the installation method, maybe something like:
apt remove certbot

# apt remove certbot leaves the problematic .conf files around.

If certbot is removed, how are the remaining certbot files problematic?
You need to be more specific with:

The phrase ‘certbot files’ is confusing in this context. There are a whole bunch of files that apt remove certbot does not remove that are under /etc/letsencrypt. It is desirable that they not remove all of them since I had to hand code scripts under /etc/letsencrypt/renewal-hooks. Nevertheless, prior to apt remove certbot I made a backup of those, just in case it did remove them along with the hoped-for deletion of the problematic .conf files under /etc/letsencrypt/renewal.

Having said that, here are the messages:

2020-03-02 19:02:46,851:DEBUG:certbot.main:certbot version: 0.31.0
2020-03-02 19:02:46,851:DEBUG:certbot.main:Arguments: ['-q']
2020-03-02 19:02:46,852:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-linode,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-02 19:02:46,862:DEBUG:certbot.log:Root logging level set at 30
2020-03-02 19:02:46,863:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-03-02 19:02:46,865:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0001.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,873:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fc8d9120b38> and installer <certbot.cli._Default object at 0x7fc8d9120b38>
2020-03-02 19:02:46,882:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,884:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,885:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0002.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,889:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,890:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,891:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0003.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,895:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,896:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,897:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0004.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,900:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,901:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,902:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0005.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,906:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,907:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,908:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0006.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,911:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,912:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,913:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0007.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,916:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,917:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,918:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0008.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,921:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,922:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,923:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0009.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,926:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,927:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,928:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0010.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,931:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,932:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,933:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0011.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,936:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,937:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,938:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0012.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,941:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,942:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,943:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0013.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,946:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,946:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,947:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com-0014.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,950:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,951:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,952:INFO:certbot.storage:Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/mydomain.com.conf with version 0.31.0 of Certbot. This might not work.
2020-03-02 19:02:46,955:INFO:certbot.renewal:Cert not yet due for renewal
2020-03-02 19:02:46,956:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-03-02 19:02:46,961:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-01-21 04:17:39 UTC.
2020-03-02 19:02:46,961:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2020-03-02 19:02:46,961:INFO:certbot.renewal:Non-interactive renewal: random delay of 318 seconds
1 Like

Hi @jabowery,

Thanks for providing the whole error message. I also didn’t realize which message you were referring to originally, so it’s helpful to see it in context.

This downgrade warning is probably not a problem, but to remove duplicative certificates, the best way is certbot delete --cert-name example.com-0004 (for example). First, make sure that no other application is actively using the certificates that you’re going to delete.

1 Like

Thanks. The deploy script copies them to user directories, one per virtualhost, so it isn’t essential that they be kept around at all.

I followed the debian buster apache install procedure but I want to multiple virtual hosts with wildcards using the linode authenticator with the standard (supported) debian package. My suspicion is that the way I got into this situation is somewhere along the line I was told I had to upgrade to the “current” version of certbot and things didn’t quite work out. Vague recollection. But in any event, I’m also told that the only supported installation is the one at the aforelinked page.

If you delete all of them, then certbot renew won’t work (because it won’t find anything to renew)—were you planning on handling renewals in a different way?

The .conf have authenticator = webroot whereas I’ve changed to use authenticator = dns-linode.

So I want to regenerate the .conf files, however that’s done, and do so with a command like:

# certbot certonly --dry-run -a dns-linode --dns-linode-credentials .linode_api/certbot -d *.mydomain2.com -d mydomain3.com -d *.mydomain3.com -d *.mydomain4.com -d *.mydomain1.com -d mydomain2.com -d mydomain4.com -d mydomain1.com

Is it the case that all I need to do is run that command and it will take care of the files under /etc/letsencrypt/renewal/ ?

Each .conf file refers to a separate certificate, but each time you run certbot certonly, it will act on only one certificate.

If you want to replace all of the certificates with a single certificate, then the command you gave will work to create that certificate (but not to delete the others).

If you want to keep them all separate, you would need to run a separate certonly command for each individual certificate that you want to keep, in order to update the authenticator.

You can also manually edit the .conf files with a text editor to change the authenticator line, as long as you also add the dns_linode_credentials information appropriately.

Thanks. Since these domains share an IP address, I think I see what I need to do then. The certbot command I gave creates a single certificate for mydomain2.com (because it is the first listed). So I want to go ahead and delete all other certificates using, e.g. certbot delete --cert-name example.com-0004 and run the wildcard certbot certonly.

Be careful—the certificate will cover all of the domains you request, but it will be named after the first domain in the list. (A Let’s Encrypt certificate can cover up to 100 different names, and will be valid for each of them.) You can check the coverage of your existing certificates by running certbot certificates.

Yes. I now have exactly one .conf file under /etc/letsencrypt/renewal/ and one certificate for all the domains (as I intended). However, the deploy script apparently won’t be executed until the new cert is renewed, which is a loose-end. Moreover, it needs to run for each domain listed by certbot certificates for that one cert. I suppose I can rewrite the script to run certbot certificates and parse the output to drive a for loop.

Our documentation about this is a little hard to find, but the deploy script can also access that information directly in the environment variable RENEWED_DOMAINS.

Well, now I’m stuck because there is no provision for certonly deployment and the currently deployed certs will likely expire before I’m permitted to renew.

I think you (and some of the documentation out there) might be confused about renewal schedules as a matter of Let’s Encrypt CA policy and as a matter of Certbot policy. In the Let’s Encrypt case, certificates may be renewed at any time as long as you haven’t obtained more than 5 identical certificates during the past week, or more than 50 certificates containing a reference to subdomains of the same registered domain during the past week. In the Certbot case, individual certificates will be considered due for renewal by Certbot when they expire in less than 30 days from the present moment.

These policies are totally independent of one another.

If you use --force-renewal in a certbot certonly or certbot renew command, Certbot will ignore its judgment of when a certificate is due for renewal or not, and attempt to renew it immediately.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.