I am using Ubuntu 16.04 with nginx. I followed the instructions here: https://certbot.eff.org/#ubuntuxenial-nginx
First I created the certificate, this worked fine (after I stopped nginx), except that the instructions have a mistake in that they say do
letsencrypt certonly when obviously in fact you must do
sudo letsencrypt certonly. Apart from that it was all good.
Then I tried to test the renewal process as (almost) suggested by the instructions:
sudo letsencrypt renew --dry-run. This produced a warning and an apparently ‘fatal warning’ (!):
WARNING:letsencrypt.client:Registering without email! (Not true, I did provide an email address when I created the certificate.)
WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/example.conf produced an unexpected error: Missing command line flag or config entry for this setting: Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You must agree in order to register with the ACME server at https://acme-staging.api.letsencrypt.org/directory (Not true, I did agree to the ToS when I created the certificate.)
I can of course add the
--agree-tos command-line parameter, but if that’s supposed to be required then clearly the instructions are wrong. If the instructions aren’t wrong then the program is. Either way I still get the ‘missing email’ warning.
Finally, if I do run it with
--agree-tos then it fails instead because nginx is of course using TCP/80. I understand that perhaps automated renewal is not supposed to be possible currently with nginx, but if so the instructions at certbot.eff.org are wrong to imply that it should work.
Also of course taking the web server down as suggested twice a day every day to renew (or check renewal) for certificates is unlikely to be acceptable for most users. Is there some reason the standalone auth code doesn’t pick a random available port <1024 for doing the verification?