Let's Encrypt renewal simulation problem

Hello,

I obtained cert by using --standalone auth plugin while there was no any web server running, with this command:

sudo certbot certonly --standalone --domains example.com --rsa-key-size 2048 --must-staple --email admin@example.com --no-eff-email --agree-tos --preferred-challenges tls-sni

Everything went fine.

Now, I installed NGINX and want to renew cert by using --webroot. I edited /etc/letsencrypt/renewal/example.com.conf
file and added the following:

authenticator = webroot
webroot-path = /path/to/webroot

Then, I run sudo certbot renew --dry-run and I get the following error:

Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for example.com:
Choices: ['Enter a new webroot']

(You can set this with the --webroot-path flag). Skipping.

I expect this to work but it isn’t. What is wrong with this ?

OS: Ubuntu 16.04.3
Certbot: 0.17.0

Hi @blaja,

Could you please post the entire file /etc/letsencrypt/renewal/example.conf before the edit and after your edit?.

Cheers,
sahsanu

Hi @sahsanu,

Before edit:

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
must_staple = True
authenticator = standalone
rsa_key_size = 2048
installer = None
pref_challs = tls-sni-01,

After edit:

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
must_staple = True
#authenticator = standalone
authenticator = webroot
webroot-path = /path/to/webroot
rsa_key_size = 2048
installer = None
#pref_challs = tls-sni-01,

Hi @blaja,

Change it to this:

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = webroot
rsa_key_size = 2048
installer = None
[[webroot_map]]
example.com = /path/to/example.com/webroot 

If your certificate is currently covering more domains, like www.example.com, in section [[webroot_map]] you need to write a line for each of them pointing to the webroot used in your nginx conf.

[[webroot_map]]
example.com = /path/to/example.com/webroot
www.example.com = /path/to/www.example.com/webroot

Also, it is a good idea to reload your nginx service once the renewal is being processed.

post_hook = service nginx reload

or

post_hook = systemctl reload nginx

or whatever your system uses to reload it.

Example with 2 domains (example.com and www.example.com) and reloading nginx using service once the cert is renewed:

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = webroot
rsa_key_size = 2048
installer = None
post_hook = service nginx reload
[[webroot_map]]
example.com = /path/to/example.com/webroot 
www.example.com = /path/to/www.example.com/webroot 

Cheers,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.