Is it OK to certbot "run" with non-installing plugins?

Hi, Some certbot plugin options, like --apache and --nginx, handle both authentication and installation. Others, like --webroot, --standalone and --manual, only handle authentication. The user guide naturally enough shows using certbot with the second set of options.

Is it OK to use the run subcommand, rather than the certonly subcommand, with the authentication-only plugin options? i.e. Will "run" be friendly and act like certonly, and not worry about installation, if it's using a non-installing plugin? Or will it be friendly in a different way, and report the absence of installation instructions as an error?

I know I can delete a certificate lineage and create it again to test this, and I probably will, but I thought I'd ask here first.

The reason I'm asking is that I have a program that invokes certbot. The user can supply authentication/installation options for certbot, but it currently assumes that it's OK to use certbot's run subcommand. If that's not always the case, I need to either change it to determine when to use certonly instead of run, based on the supplied certbot options, or if that's not reliably doable, I need to change it to let the user specify when to use certonly instead of run. I'd prefer it if they didn't have to do that, but it might not always be avoidable. Thanks in advance for any advice.

1 Like

I'm somewhat sure that certbot run will not let you proceed without an installer. I might be wrong about that, but my reading of the code is that it should error out.

1 Like

The "run" option is hardly ever used; executing certbot or certbot run do the same thing.
So either would prompt you for an authentication and installation method.
You could pre-choose them, independently, with "-i" (for installer) and "-a" (for authentication method).
Using certonly would satisfy the installation prompt (no installer).
But it would still leave certbot asking for an authentication method.

You're correct, it will error out:

server ~ # certbot --webroot -w /tmp/ -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

certbot certonly --webroot

(Alternatively, add a --installer flag. See User Guide — Certbot 1.19.0.dev0 documentation
and "--help plugins" for more information.)

Although I'm not sure why certbot just doesn't ask for choosing an installer, just like it would when no option is given at all?

2 Likes

Thanks everyone. It's much appreciated.

Perhaps the dichotomy of run/certonly isn't super helpful. Perhaps the presence of an authentication method should suffice to indicate that authentication is required, and the presence of an installation method should suffice to indicate that installation is required.

On the other hand, perhaps it is super helpful, as it indicates the user's intention, and so checks can be put in place. And yes, perhaps run should ask for an installer if none is supplied. If so, the answer "none" should be a valid interactive response. Perhaps a command line option to suppress installation would also be helpful.

Anyway, don't read too much into my command line interface philosophising. It's just something I do. I'm not asking for any changes. I just needed to understand how it is. I now know what changes I need to make to my program, so many thanks to you all.

2 Likes