@_az sorry this site just told me that I reached my limit for replies for today so I couldn’t answer you! lol
anyway, the site is back and has a certificate that expires next month
@_az thank you so much! you are a literal genius!
by the way, next month when my certificate expires, what command do I use to renew the certificate letsencrypt renew?
Hah, sounds like I did more harm than help in this case :(.
If your current SSL is working, probably to use your modern Certbot to automatically renew certificates would look something like this:
certbot certonly --webroot -w /srv/users/serverpilot/apps/portfolio/public \
-d example.org -d www.example.org \
--post-hook "service nginx-sp reload"
but it might be worth seeing if it would work first without any changes at present:
certbot renew --dry-run@_az omfg, I had to make ANOTHER account, rofl
anyway, we are using letsencrypt here, not certbot. Do you mean the same commands but using letsencrypt instead of certbot?
BTW, whats ur email in case I get locked out?
Unfortunately I don’t have the mod powers to uncap your post limit 
. Maybe @mnordhoff can uncap your accounts for you.
Yeah, you can use letsencrypt with those commands and it should work, but it would be better if you could use the modern Certbot. If you’ve already uninstalled it, no worries.
I’ve bumped the trust level on all 3 accounts. 
1 Like
@mnordhoff thanks!
@_az I would love to use certbot instead of letsencrypt but I'm not sure my serverpilot installation will allow it.
When I try to use certbot I get an error:
$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/benrothman.org.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for benrothman.org
http-01 challenge for www.benrothman.org
Cleaning up challenges
Attempting to renew cert (benrothman.org) from /etc/letsencrypt/renewal/benrothman.org.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/benrothman.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/benrothman.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
root@ubuntu-1gb-nyc1-01:/etc/nginx-sp/vhosts.d#
I thought sple.sh installed letsencrypt so I need to stick with that unless I want to configure virtual hosts for certbot which I do not know how to do. Maybe I should stick to letesencrypt`?
oh no I get the same output from running letesencrypt renew --dry-run. Is that broken now too?
It’s not broken, you’ll just need to reconfigure your renewal parameters to use webroot instead of standalone mode.
My previous post shows you how to do this, or now that I know your domain, like this:
certbot renew --cert-name benrothman.org --webroot -w /srv/users/serverpilot/apps/portfolio/public --post-hook "service nginx-sp reload"
If it asks you to do a force renewal, say yes.
If that succeeds, that’s all you need and it will be fully automatic in future. You can proceed to uninstall letsencrypt (note: do not purge the package) and forget about using sple.sh, since your nginx virtualhosts are already configured it doesn’t really help you anymore.
actually I just ran a test and it failed:
$ certbot certonly --dry-run --webroot -w /srv/users/serverpilot/apps/portfolio/public -d benrothman.org -d www.benrothman.org --post-hook “service nginx-sp reload”
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: nginx-sp reload”
and the command still doesn't work if I substitute letsencrypt for certbot
Uhhh I think maybe some of the special quote characters from the forum might have snuck into your command. Can you try the amended renew version I have above?
@_az hmm, I have a mixed answer. It appears to have worked in both with and without the dry run flag, But when I ran the command without the dryrun flag, the output was all green except this that printed in red
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer none.
do I need to fix that?
I think that could be a minor bug in Certbot.
You should be able to get rid of it by opening /etc/letsencrypt/renewal/benrothman.org.conf and removing the line that looks like:
installer = None
At the same time, confirm that the new webroot parameters are present in that file, and that standalone is gone.
ok I removed the installer line and ran a dry-run which succeeded. I am not sure what to look for to confirm that the webroot parameters are gone but standalone_supported_challenges = “tls-sni-01,http-01” is there so is that something I should delete?
You can delete it if you want, but it shouldn’t be affecting you anyway (since your authenticator should currently be webroot, which doesn’t care about that setting).
You may need to do a non-dry-run (possibly with --force-renewal) in order to actually to save the correct settings to that file. (unless you already have authenticator = webroot, in which case you’re all set).
ok that works swimmingly, thanks 
So I am hoping the answer here is yes, but will the fact that I am using certbot now mean that I can still renew my certificates after the upcoming EOL for TLS-SNI-01 validation?
Yes, TLS-SNI isn’t something that is going to affect you.
Did you force-renew your certificate at all today? Because your server is still serving your certificate from December 23. I’m just wondering whether the nginx-sp reload hook actually worked. If you didn’t actually do a live renew, no problem.
I did not have to force renew, the renew command just got a new one. The cert expires Saturday, March 23, 2019 at 9:04:25 AM Eastern Daylight Time. Isn’t that a new cert?
Nope, that’s your old certificate that is valid from Dec 23 to March 23 (90 days).
I know it’s usually discouraged, but I’d try just doing one force-renew to confirm that all the pieces work together:
certbot renew --cert-name benrothman.org --force-renewal