I wanna use a staging environment to check before using production.
i have done SSL with command: certbot certonly --webroot --agree-tos --email myemail@gmail.com -d mydomain -w /var/www/mydomain/
However, when I check the test environment to renew the certificate with the command: certbot renew -d mydomain --dry-run. I received a notification below: I don't know certainly that this above command is true or false because I search on the internet, most people show a congratulations notification unlike me.
My notification:
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
May everybody help me to understand this notification?
Thankssss
app@nginx:~$ sudo certbot certificates
sudo: unable to resolve host nginx: Name or service not known
[sudo] password for app:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: mydomain
Domains: mydomain
Expiry Date: 2021-10-13 17:18:56+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/mydomain/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.vn/privkey.pem
i have tried certbot renew --dry-run, however, it failed, I received a notification like this
app@nginx:~$ sudo certbot renew --dry-run
sudo: unable to resolve host nginx: Name or service not known
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/mydomain.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Challenge failed for domain mydomain http-01 challenge for mydomain
Cleaning up challenges
Attempting to renew cert (mydomain) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Check your configs and ensure the webroot being used by certbot is the same one being served by nginx for that domain.
Also pay close attention to the redirection and the nginx HTTPS config.
i have some question so may you help me to explain them ?.
I read information on the internet and i wonder that using certbot renew --dry-run command is only to check what is wrong certification or right certificate. If it is right i will use certbot renew command to renew my cert that is about to expire.
certbot renew --dry-run is to check if certificates can be renewed.
If any renewal was not possible, it should show entries in the logs as to any reason(s) for such failure(s).
certbot renew is the correct command to renew expiring certs.
It should be run on a schedule at least once a day - recommended twice a day.
Most of the time it will just check but have nothing to do; while certs are not nearing their expirations.
