Making certbot edit its own config files?

Let’s say I got a certificate using certbot and I forgot to include a --deploy-hook, or I want to change what authenticator plugin to use.

Can I use a command like

certbot renew [--cert-name example.com] {whatever I want to change}

and expect certbot to save its own config without me needing to mess with editing /etc/letsencrypt/renewal/example.com.conf?

As far as I know, this is the case. Options which would be saved to the renewal configuration file on the first run, should also be saved when using renew. But I stand corrected if I’m wrong.

I tried doing so(1) with a certificate that doesn’t need renewing and it didn’t edit the config file.

(1): certbot renew --cert-name 128.qualcuno.xyz --deploy-hook "echo puppa"

If --dry-run is included, it won’t update the config. You have to force a live renewal in order to update the config file. It’s one of the more irritating aspects of Certbot.

Did you omit --dry-run from your example command?

Anyway, I just tried it out and it seems to work.

After first issuance:

$ cat /etc/letsencrypt/renewal/3e2113e8.ngrok.io.conf
# renew_before_expiry = 30 days
version = 1.3.0
archive_dir = /etc/letsencrypt/archive/3e2113e8.ngrok.io
cert = /etc/letsencrypt/live/3e2113e8.ngrok.io/cert.pem
privkey = /etc/letsencrypt/live/3e2113e8.ngrok.io/privkey.pem
chain = /etc/letsencrypt/live/3e2113e8.ngrok.io/chain.pem
fullchain = /etc/letsencrypt/live/3e2113e8.ngrok.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = d9abe02fd65c89a22205ea9c1b980e05
http01_port = 8123
server = https://acme-staging-v02.api.letsencrypt.org/directory

then:

$ sudo certbot-auto certonly --standalone --http-01-port 8123 -d 3e2113e8.ngrok.io --staging --deploy-hook "/bin/true"  --force-renewal

and the hook was added to the config:

$ cat /etc/letsencrypt/renewal/3e2113e8.ngrok.io.conf
# renew_before_expiry = 30 days
version = 1.3.0
archive_dir = /etc/letsencrypt/archive/3e2113e8.ngrok.io
cert = /etc/letsencrypt/live/3e2113e8.ngrok.io/cert.pem
privkey = /etc/letsencrypt/live/3e2113e8.ngrok.io/privkey.pem
chain = /etc/letsencrypt/live/3e2113e8.ngrok.io/chain.pem
fullchain = /etc/letsencrypt/live/3e2113e8.ngrok.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = d9abe02fd65c89a22205ea9c1b980e05
http01_port = 8123
server = https://acme-staging-v02.api.letsencrypt.org/directory
renew_hook = /bin/true
1 Like

Yes, but the renewal didn’t happen because the cert is not expiring.

I guess it’s time for a feature request, there’s no reason to --force-renewal to update the configuration.

Here’s an open one to add a vote to: https://github.com/certbot/certbot/issues/5828

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.