I’m currently trying to automate the renewal of my certificates using letsencrypt-auto. I configured a conf file to include most parameter and setup symlinks to handle multiple domains in nginx using the webroot method.
The problem I’m facing is, that the client always requires manual input when renewing an existing certificate (“Do you want to renew and replace this certificate with a newly-issued one?”) and I’ve not yet managed to find a parameter that disables this check.
Is there currently a way to achieve renewal fully automated so I can setup a cronjob to do it?
The renewer tool is still a work in progress, and I know the client team would happily accept help on it.
As the beta email mentions, you should be prepared to manually intervene at this point since the renewer isn’t quite ready yet.
I believe Debian is the first OS whose installation package will actually configure the renewer, but ultimately we’d like that to happen out of the package manager for all OSes.
Thanks for the information. I thought that this was not quite ready yet and tried to find a workaround for now. I didn’t knew about the plans for the Debian package. It’s great to see how LE is adopted by distributions.
Is there a way to disable to confirmation dialog…
“Your existing certificate has been successfully renewed, and the new certificate has been installed.”
…what option can I use to make this go away?
Thanks,
-Rob A
when trying on the command line, the “–renew-by-default” switch does not suppress the final confirmation dialog.
I’m sure this will cause issues when using crontab to renew the certificate(s).
Suggestion would be to replace the notification with a simple infobox.
I use certonly in conjunction with --renew-by-default and it renews just fine without prompt via cron. I am using webroot auth though. Maybe difference there?
Using certonly, --renew-by-default and --standalone seems to work.
Anyhow, one question:
What does “–renew-by-default” actually do? It seems to be trying to get a new certificate everytime. Does ist check for expiration?
It will renew a cert automatically should it already exist (with specified -d entries), regardless of age. otherwise it simply requests a new one.
The option --keep-until-expiring (maybe requires 0.1.1 client) will always keep your existing cert and do nothing else until it’s actually due for renewal. The client help section points to this as the better renewal path option.
Do --renew-by-default and --keep-until-expiring need to be used together?
Right now I get the
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: …
Error.
Your new error means you have been rate limited. 5 certs / 7 days for any one domain.
You can and probably should use the staging server for testing and figuring this out. In the new client, that means (I believe) specifying the cmd line option:
–test-cert
Or
–staging
I haven’t tried this myself (staging). Only reading the help output from letsencrypt-auto.
Ok. Thanks a lot.
–keep-until-expiring seems to be working fine.
No errors and its not changing anything.
So. I’ll keep this one. I didn’t see this option in the help output. Thanks again for pointing that out to me!