Making certbot edit its own config files?

9peppe · April 3, 2020, 12:50pm

Let’s say I got a certificate using certbot and I forgot to include a --deploy-hook, or I want to change what authenticator plugin to use.

Can I use a command like

certbot renew [--cert-name example.com] {whatever I want to change}

and expect certbot to save its own config without me needing to mess with editing /etc/letsencrypt/renewal/example.com.conf?

Osiris · April 3, 2020, 1:01pm

As far as I know, this is the case. Options which would be saved to the renewal configuration file on the first run, should also be saved when using renew. But I stand corrected if I’m wrong.

9peppe · April 4, 2020, 11:07am

I tried doing so⁽¹⁾ with a certificate that doesn’t need renewing and it didn’t edit the config file.

⁽¹⁾: certbot renew --cert-name 128.qualcuno.xyz --deploy-hook "echo puppa"

_az · April 4, 2020, 11:15am

If --dry-run is included, it won’t update the config. You have to force a live renewal in order to update the config file. It’s one of the more irritating aspects of Certbot.

Did you omit --dry-run from your example command?

Anyway, I just tried it out and it seems to work.

After first issuance:

$ cat /etc/letsencrypt/renewal/3e2113e8.ngrok.io.conf
# renew_before_expiry = 30 days
version = 1.3.0
archive_dir = /etc/letsencrypt/archive/3e2113e8.ngrok.io
cert = /etc/letsencrypt/live/3e2113e8.ngrok.io/cert.pem
privkey = /etc/letsencrypt/live/3e2113e8.ngrok.io/privkey.pem
chain = /etc/letsencrypt/live/3e2113e8.ngrok.io/chain.pem
fullchain = /etc/letsencrypt/live/3e2113e8.ngrok.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = d9abe02fd65c89a22205ea9c1b980e05
http01_port = 8123
server = https://acme-staging-v02.api.letsencrypt.org/directory

then:

$ sudo certbot-auto certonly --standalone --http-01-port 8123 -d 3e2113e8.ngrok.io --staging --deploy-hook "/bin/true"  --force-renewal

and the hook was added to the config:

$ cat /etc/letsencrypt/renewal/3e2113e8.ngrok.io.conf
# renew_before_expiry = 30 days
version = 1.3.0
archive_dir = /etc/letsencrypt/archive/3e2113e8.ngrok.io
cert = /etc/letsencrypt/live/3e2113e8.ngrok.io/cert.pem
privkey = /etc/letsencrypt/live/3e2113e8.ngrok.io/privkey.pem
chain = /etc/letsencrypt/live/3e2113e8.ngrok.io/chain.pem
fullchain = /etc/letsencrypt/live/3e2113e8.ngrok.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = d9abe02fd65c89a22205ea9c1b980e05
http01_port = 8123
server = https://acme-staging-v02.api.letsencrypt.org/directory
renew_hook = /bin/true

9peppe · April 4, 2020, 11:17am

Yes, but the renewal didn't happen because the cert is not expiring.

I guess it's time for a feature request, there's no reason to --force-renewal to update the configuration.

_az · April 4, 2020, 11:18am

Here’s an open one to add a vote to: https://github.com/certbot/certbot/issues/5828

system · May 4, 2020, 11:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
`certbot renew` overwriting renewal file Help	6	1486	May 19, 2020
Correct method for modifying the configuration file Help	6	467	March 17, 2024
Certificate config contains old renewal hook values Help	9	513	July 26, 2023
How to update lets encrypt conf file? Help	2	1852	September 19, 2017
Renew cert manually Help	9	10638	December 24, 2021

Making certbot edit its own config files?

Related topics