Letsencrpyt-auto requires manual interaction on renewal


#1

Hi there,

I’m currently trying to automate the renewal of my certificates using letsencrypt-auto. I configured a conf file to include most parameter and setup symlinks to handle multiple domains in nginx using the webroot method.

The problem I’m facing is, that the client always requires manual input when renewing an existing certificate (“Do you want to renew and replace this certificate with a newly-issued one?”) and I’ve not yet managed to find a parameter that disables this check.

Is there currently a way to achieve renewal fully automated so I can setup a cronjob to do it?


#2

The renewer tool is still a work in progress, and I know the client team would happily accept help on it.

As the beta email mentions, you should be prepared to manually intervene at this point since the renewer isn’t quite ready yet.

I believe Debian is the first OS whose installation package will actually configure the renewer, but ultimately we’d like that to happen out of the package manager for all OSes.


#3

Try using the renew by default flag. That is what works for me.

--renew-by-default

#4

@jcjones

Thanks for the information. I thought that this was not quite ready yet and tried to find a workaround for now. I didn’t knew about the plans for the Debian package. It’s great to see how LE is adopted by distributions.

@CrosseyeJack

Thanks! That works like a charm :smile:


#5

Is there a way to disable to confirmation dialog…
“Your existing certificate has been successfully renewed, and the new certificate has been installed.”

…what option can I use to make this go away?
Thanks,
-Rob A


#6

–renew-by-default does exactly what you are looking for


#7

Hi Chris,

when trying on the command line, the “–renew-by-default” switch does not suppress the final confirmation dialog.
I’m sure this will cause issues when using crontab to renew the certificate(s).

Suggestion would be to replace the notification with a simple infobox.

Best,
Oliver


#8

I’m using this in cron and it’s working for me.

./letsencrypt-auto certonly --email me@domain.com --agree-tos --webroot --renew-by-default -w /var/www/html/ -d www.domain.com

It may be that the plugin you are using adds a confirmation dialog?


#9

Have you sorted this out? I have the same concern here. Cron job won’t work if cannot bypass the finial confirmation.


#10

Hi,
sorry, no. Maybe I’m missing something when renewing.
I just use

./letsencrypt-auto --renew-by-default --no-redirect -d do.mai.n -d do.mai.n -d do.mai.n

The server is an apache2.
Sadly, the documentation doesn’t really help here.


#11

i just use this in cronjob

i use nginx and the plugin its not that good yet

service nginx stop && cd /home/user/letsencrypt && ./letsencrypt-auto certonly --renew-by-default --standalone -d domain -d www.domain ; service nginx start

change “cd /home/user/letsencrypt” to your letsencrypt instalation path


#12

is “certonly” the correct parameter to use when renewing a certificate?
Maybe this might be the problem.


#13

I use certonly in conjunction with --renew-by-default and it renews just fine without prompt via cron. I am using webroot auth though. Maybe difference there?


#14

Using certonly, --renew-by-default and --standalone seems to work.
Anyhow, one question:
What does “–renew-by-default” actually do? It seems to be trying to get a new certificate everytime. Does ist check for expiration?


#15

It will renew a cert automatically should it already exist (with specified -d entries), regardless of age. otherwise it simply requests a new one.

The option --keep-until-expiring (maybe requires 0.1.1 client) will always keep your existing cert and do nothing else until it’s actually due for renewal. The client help section points to this as the better renewal path option.


#16

Do --renew-by-default and --keep-until-expiring need to be used together?
Right now I get the
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: …
Error.


#17

No. They offer two different use cases.

Your new error means you have been rate limited. 5 certs / 7 days for any one domain.

You can and probably should use the staging server for testing and figuring this out. In the new client, that means (I believe) specifying the cmd line option:

–test-cert
Or
–staging

I haven’t tried this myself (staging). Only reading the help output from letsencrypt-auto.


#18

Ok. Thanks a lot.
–keep-until-expiring seems to be working fine.
No errors and its not changing anything. :slight_smile:
So. I’ll keep this one. I didn’t see this option in the help output. Thanks again for pointing that out to me! :smile:


How to bypass final confirmation dialog?
#19

:ok_hand:

This is my 20 characters to make this post valid.

Haha, you’re welcome.