Manual auth hook not called when using --staging

bsutton · July 28, 2020, 4:27am

I ran this command:
certbot ‘–manual’, ‘–preferred-challenges=dns’, ‘-m’, ‘me@my.com.au’, ‘-d’, ‘slayer.noojee.org’, ‘–agree-tos’, ‘–manual-public-ip-logging-ok’, ‘–non-interactive’, ‘–manual-auth-hook=/home/bin/certbot_hooks/dns_auth’, ‘–manual-cleanup-hook=/home/bin/certbot_hooks/dns_cleanup’, ‘–work-dir=/etc/letsencrypt/work’, ‘–config-dir=/etc/letsencrypt/config’, ‘–logs-dir=/etc/letsencrypt/logs’, ‘–staging’

It produced this output:
The command works correctly and a certificate is obtained.

The problem is that I’m trying to test my dns auth hook and it appears that once I successfully acquired a certificate that certbot no longer calls the dns auth hooks.

Complete logs at end.

During testing I need to have certbot call the auth hook every time.

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
namecheap

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.40.0

Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f9108144160>
Prep: True
2020-07-28 14:17:22,187:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f9108144160> and installer None
2020-07-28 14:17:22,187:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-07-28 14:17:22,189:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/14834518', new_authzr_uri=None, terms_of_service=None), a474c3171bb8388595a6d1cfa040e26c, Meta(creation_dt=datetime.datetime(2020, 7, 24, 5, 24, 31, tzinfo=<UTC>), creation_host='slayer4'))>
2020-07-28 14:17:22,189:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2020-07-28 14:17:22,190:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2020-07-28 14:17:23,040:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2020-07-28 14:17:23,041:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:22 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "tSjy7Tofxig": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2020-07-28 14:17:23,041:INFO:certbot.main:Obtaining a new certificate
2020-07-28 14:17:23,065:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/config/keys/0019_key-certbot.pem
2020-07-28 14:17:23,067:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/config/csr/0019_csr-certbot.pem
2020-07-28 14:17:23,067:DEBUG:acme.client:Requesting fresh nonce
2020-07-28 14:17:23,067:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2020-07-28 14:17:23,276:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-07-28 14:17:23,277:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:23 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001XxXKQTuD3hQCgwsPFpH-xJxBI_OI0ziFm0P5omX1flE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-07-28 14:17:23,277:DEBUG:acme.client:Storing nonce: 0001XxXKQTuD3hQCgwsPFpH-xJxBI_OI0ziFm0P5omX1flE
2020-07-28 14:17:23,277:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "slayer.noojee.org"\n    }\n  ]\n}'
2020-07-28 14:17:23,278:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDgzNDUxOCIsICJub25jZSI6ICIwMDAxWHhYS1FUdUQzaFFDZ3dzUEZwSC14SnhCSV9PSTB6aUZtMFA1b21YMWZsRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "PUXgWSPY8ZzQ4m1x7isdqKMxngJdA6y-PwW9tMeVt27RwxkWI4E3upxxIZ6FldnRT_z13fnFfIaSpp5-DPY3xj9yvCvwwRqTSn3_m3nI54s46RHXNNx2RZnzwxKQP-4GcD44zBrPeJlC-ngTveRT7qrcJlK-3eTgnyxlYE72bmJt1cvqyOgEfPdOPMXqsTDV8JNI8s3B3juyrqBizN3MN7CGmEnbZBdNX_-a4x1Nd9-xhh6lv1Z__kiQEOh-B_--cC6pilZa7QwsdDwBGsyg6J-Un_xr86e-oPhf2AfYkASpkudj6EGuhNfeixGxDmi-ZIcSoIeWqdlJLG4qzZJgGg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInNsYXllci5ub29qZWUub3JnIgogICAgfQogIF0KfQ"
}
2020-07-28 14:17:23,504:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 358
2020-07-28 14:17:23,504:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 28 Jul 2020 04:17:23 GMT
Content-Type: application/json
Content-Length: 358
Connection: keep-alive
Boulder-Requester: 14834518
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/14834518/121986950
Replay-Nonce: 0002eDIWs_AdfgCOp-MnvHoA0U5TbGDIF64QQQQp9yq7oYA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "ready",
  "expires": "2020-08-04T04:17:23.391552568Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "slayer.noojee.org"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/83453523"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14834518/121986950"
}
2020-07-28 14:17:23,504:DEBUG:acme.client:Storing nonce: 0002eDIWs_AdfgCOp-MnvHoA0U5TbGDIF64QQQQp9yq7oYA
2020-07-28 14:17:23,505:DEBUG:acme.client:JWS payload:
b''
2020-07-28 14:17:23,506:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/83453523:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDgzNDUxOCIsICJub25jZSI6ICIwMDAyZURJV3NfQWRmZ0NPcC1NbnZIb0EwVTVUYkdESUY2NFFRUVFwOXlxN29ZQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MzQ1MzUyMyJ9",
  "signature": "TdIRHw98GOhFyGl-8_sh5sXia94iTFgC2d-IRYkRIHLaxBCfCA--W3OxzhXnDaaWOhlItNwXw2LP68kS7G9qijiLhaagmENfcjbVs75Kplcz-a844VESCbPC6MqxKC3l12lsfUBY6BCcfWDV3aexurLB76a8qsqW1lAeoTKEA_EognANa5bQ1u0pbiW80ADGN-ei-_YgLHkBN5T7cTfHdnfD-PRISM5vOAh34WOOs5inTk25mYFI-qWrKGOORWCVdzbkw4i2zAUSE4fYnHPQoNEG1uXeK5ygDY8AbddFMsLdYVAK8NrKdeY_SgaQHk3TXnBm4rIxm7mx7eUfpSxlmw",
  "payload": ""
}
2020-07-28 14:17:23,718:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/83453523 HTTP/1.1" 200 727
2020-07-28 14:17:23,718:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:23 GMT
Content-Type: application/json
Content-Length: 727
Connection: keep-alive
Boulder-Requester: 14834518
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002ODmOe0sUm17PL9vnZz16putcIEZxGusUYDfn6PMstR4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "slayer.noojee.org"
  },
  "status": "valid",
  "expires": "2020-08-26T05:51:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/83453523/ZksApw",
      "token": "RDgx7jzLq2Mg9F59vD0gLeTac-4t6qo4NJvDcQ3P7Mg",
      "validationRecord": [
        {
          "url": "http://slayer.noojee.org/.well-known/acme-challenge/RDgx7jzLq2Mg9F59vD0gLeTac-4t6qo4NJvDcQ3P7Mg",
          "hostname": "slayer.noojee.org",
          "port": "80",
          "addressesResolved": [
            "14.201.92.199"
          ],
          "addressUsed": "14.201.92.199"
        }
      ]
    }
  ]
}
2020-07-28 14:17:23,718:DEBUG:acme.client:Storing nonce: 0002ODmOe0sUm17PL9vnZz16putcIEZxGusUYDfn6PMstR4
2020-07-28 14:17:23,719:DEBUG:certbot.client:CSR: CSR(file='/etc/letsencrypt/config/csr/0019_csr-certbot.pem', data=b'-----BEGIN CERTIFICATE REQUEST-----\nMIICdDCCAVwCAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKi1\nOqt8ZRetGwVWoihd/mj1SZo/e1Ztpg/PC/WixhH57i769fy4USIRqHH2P33te2gb\nyw8zm87zgSVaYv/fPB5iZ84rF2oLrlGEvn9DnHMS+qQXvtAb/c7VEcax5d4kjYSW\nX5i3OCpnDB2ghwzUO4ZXDL9BCekQZUSKEHiZOrw/h+6FfnBVLCwfPMfePX7RFEkN\nSWTXYkTLx3TLYQKsu8fyOXenFgUSF5ZgwWB4LhsD0VAYPcZ2N7uR2yBiXiDYohXI\nkkiqgW3KjkJ8mH9qrOxLmSssxavTlLwaSstMnOwPymmSZ80f6hIYnTnCSeIxJIMu\n28nR/zuOP8WK4HH9/m0CAwEAAaAvMC0GCSqGSIb3DQEJDjEgMB4wHAYDVR0RBBUw\nE4IRc2xheWVyLm5vb2plZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAIEphuPjFSqG\nn5r12BVeLODopBYdhwMsFKd7pTdwWVlw49XgU+qJAzSKmdpHq6Vc/tIlg8VvYlUR\nDbwaih/U8R3gaN6FsRTw3kw3Q3XLsUTqFvJZodCz9IZE7smZ1FMPoRuoVWY22aCD\nLccL3jCazI1RWw+e30IZ4Eoj/0lIgm0/W7c3aSSsSsnttXAMXX88P/fXB0aAH6p3\nMNhFS/4AoszQcsQ2FggRHDqxxnFjG0PSI0K0641CUg4iG9WyNmJHef2wRfCJ8VVL\nx6Q0kdpteMA7gXlQWS/s4ZT5IeQ9i1Y8N+pueMuAQTsuGlbijpHsZ5+ZDflm+7F8\nlVkahFJtBeY=\n-----END CERTIFICATE REQUEST-----\n', form='pem')
2020-07-28 14:17:23,719:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "new-cert",\n  "csr": "MIICdDCCAVwCAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKi1Oqt8ZRetGwVWoihd_mj1SZo_e1Ztpg_PC_WixhH57i769fy4USIRqHH2P33te2gbyw8zm87zgSVaYv_fPB5iZ84rF2oLrlGEvn9DnHMS-qQXvtAb_c7VEcax5d4kjYSWX5i3OCpnDB2ghwzUO4ZXDL9BCekQZUSKEHiZOrw_h-6FfnBVLCwfPMfePX7RFEkNSWTXYkTLx3TLYQKsu8fyOXenFgUSF5ZgwWB4LhsD0VAYPcZ2N7uR2yBiXiDYohXIkkiqgW3KjkJ8mH9qrOxLmSssxavTlLwaSstMnOwPymmSZ80f6hIYnTnCSeIxJIMu28nR_zuOP8WK4HH9_m0CAwEAAaAvMC0GCSqGSIb3DQEJDjEgMB4wHAYDVR0RBBUwE4IRc2xheWVyLm5vb2plZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAIEphuPjFSqGn5r12BVeLODopBYdhwMsFKd7pTdwWVlw49XgU-qJAzSKmdpHq6Vc_tIlg8VvYlURDbwaih_U8R3gaN6FsRTw3kw3Q3XLsUTqFvJZodCz9IZE7smZ1FMPoRuoVWY22aCDLccL3jCazI1RWw-e30IZ4Eoj_0lIgm0_W7c3aSSsSsnttXAMXX88P_fXB0aAH6p3MNhFS_4AoszQcsQ2FggRHDqxxnFjG0PSI0K0641CUg4iG9WyNmJHef2wRfCJ8VVLx6Q0kdpteMA7gXlQWS_s4ZT5IeQ9i1Y8N-pueMuAQTsuGlbijpHsZ5-ZDflm-7F8lVkahFJtBeY"\n}'
2020-07-28 14:17:23,720:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14834518/121986950:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDgzNDUxOCIsICJub25jZSI6ICIwMDAyT0RtT2Uwc1VtMTdQTDl2blp6MTZwdXRjSUVaeEd1c1VZRGZuNlBNc3RSNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9maW5hbGl6ZS8xNDgzNDUxOC8xMjE5ODY5NTAifQ",
  "signature": "RVi36R5oawWY5r0PTX99wtm4u-FQCZX_oGokcENI86FSTSFhY-QP4-KeNrKNiN6aoh1MZK4mYUr2_-M5oN5RUiw5OrMKv_381t7Ht9xH2bbVsKeR5puxZTafNfmqF54MESEMWGjwRVvomet8kPl3LIfjYrN6sWQypb06SxMER5t5lqG3YN3YgUUsPqISoSQoErjgt5GOD2m34VEphvXaJU6Q0bAXkSGMv0Qb_KVH3CVAceb_HBZt265ylYmTTZOxS4bU4Gx5rSuR-_iIbUkvP_XhB19vw2QogQZ16Co6U6k7JxVSeqTF88Q6g_myQCUCzwWrdwpSe2o8DUxCupp0eg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJuZXctY2VydCIsCiAgImNzciI6ICJNSUlDZERDQ0FWd0NBUUl3QURDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2kxT3F0OFpSZXRHd1ZXb2loZF9tajFTWm9fZTFadHBnX1BDX1dpeGhINTdpNzY5Znk0VVNJUnFISDJQMzN0ZTJnYnl3OHptODd6Z1NWYVl2X2ZQQjVpWjg0ckYyb0xybEdFdm45RG5ITVMtcVFYdnRBYl9jN1ZFY2F4NWQ0a2pZU1dYNWkzT0NwbkRCMmdod3pVTzRaWERMOUJDZWtRWlVTS0VIaVpPcndfaC02RmZuQlZMQ3dmUE1mZVBYN1JGRWtOU1dUWFlrVEx4M1RMWVFLc3U4ZnlPWGVuRmdVU0Y1Wmd3V0I0TGhzRDBWQVlQY1oyTjd1UjJ5QmlYaURZb2hYSWtraXFnVzNLamtKOG1IOXFyT3hMbVNzc3hhdlRsTHdhU3N0TW5Pd1B5bW1TWjgwZjZoSVluVG5DU2VJeEpJTXUyOG5SX3p1T1A4V0s0SEg5X20wQ0F3RUFBYUF2TUMwR0NTcUdTSWIzRFFFSkRqRWdNQjR3SEFZRFZSMFJCQlV3RTRJUmMyeGhlV1Z5TG01dmIycGxaUzV2Y21jd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJRXBodVBqRlNxR241cjEyQlZlTE9Eb3BCWWRod01zRktkN3BUZHdXVmx3NDlYZ1UtcUpBelNLbWRwSHE2VmNfdElsZzhWdllsVVJEYndhaWhfVThSM2dhTjZGc1JUdzNrdzNRM1hMc1VUcUZ2SlpvZEN6OUlaRTdzbVoxRk1Qb1J1b1ZXWTIyYUNETGNjTDNqQ2F6STFSV3ctZTMwSVo0RW9qXzBsSWdtMF9XN2MzYVNTc1NzbnR0WEFNWFg4OFBfZlhCMGFBSDZwM01OaEZTXzRBb3N6UWNzUTJGZ2dSSERxeHhuRmpHMFBTSTBLMDY0MUNVZzRpRzlXeU5tSkhlZjJ3UmZDSjhWVkx4NlEwa2RwdGVNQTdnWGxRV1NfczRaVDVJZVE5aTFZOE4tcHVlTXVBUVRzdUdsYmlqcEhzWjUtWkRmbG0tN0Y4bFZrYWhGSnRCZVkiCn0"
}
2020-07-28 14:17:24,409:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/finalize/14834518/121986950 HTTP/1.1" 200 460
2020-07-28 14:17:24,409:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:24 GMT
Content-Type: application/json
Content-Length: 460
Connection: keep-alive
Boulder-Requester: 14834518
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/14834518/121986950
Replay-Nonce: 0002nK9-HlBdzcjx2nGowM8vvYk-YjCsF0Q9dfjSVlh6prA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2020-08-04T04:17:23Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "slayer.noojee.org"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/83453523"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14834518/121986950",
  "certificate": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa6452755670e6763970b37a7d35646ff5e3"
}
2020-07-28 14:17:24,409:DEBUG:acme.client:Storing nonce: 0002nK9-HlBdzcjx2nGowM8vvYk-YjCsF0Q9dfjSVlh6prA
2020-07-28 14:17:25,410:DEBUG:acme.client:JWS payload:
b''
2020-07-28 14:17:25,411:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/order/14834518/121986950:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDgzNDUxOCIsICJub25jZSI6ICIwMDAybks5LUhsQmR6Y2p4Mm5Hb3dNOHZ2WWstWWpDc0YwUTlkZmpTVmxoNnByQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9vcmRlci8xNDgzNDUxOC8xMjE5ODY5NTAifQ",
  "signature": "qxQ5eEF877SOnjy5l8Di7-hWvz0HZEenSPF1e_lragLsHoFPWTruPTMomu6hmlaZHmXBlQpsmDf88rBIrz_O7O43z_FhHgf_yXBf_W6ZK7mgSBQTNuW85Fk9V7NpAd-Ps4ytkifg9hcgE82w04Awxp0-Yx4xV5RUTlKMjK69xjsMR-ahzds37fh41G2VrSEdKgwKwh22aKii9PcvnV1798jqKq0GQMdTa4S7GWdLbe_LiQ_3dw5WLeFmGuXTe73-FbY4lnpMj1v5MnjhnO61ATot6AJCwXbK5XCeb3ETkQdR72ByYvkUcYG-yLEQbayLYcujmKELxnzjQX7Jo1g8aQ",
  "payload": ""
}
2020-07-28 14:17:25,624:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/order/14834518/121986950 HTTP/1.1" 200 460
2020-07-28 14:17:25,625:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:25 GMT
Content-Type: application/json
Content-Length: 460
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001AktCDzD9LHs-m0hoCcY4qY0ptsQpUC-wY01Kbfy6SIM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2020-08-04T04:17:23Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "slayer.noojee.org"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/83453523"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14834518/121986950",
  "certificate": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa6452755670e6763970b37a7d35646ff5e3"
}
2020-07-28 14:17:25,625:DEBUG:acme.client:Storing nonce: 0001AktCDzD9LHs-m0hoCcY4qY0ptsQpUC-wY01Kbfy6SIM
2020-07-28 14:17:25,625:DEBUG:acme.client:JWS payload:
b''
2020-07-28 14:17:25,626:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa6452755670e6763970b37a7d35646ff5e3:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNDgzNDUxOCIsICJub25jZSI6ICIwMDAxQWt0Q0R6RDlMSHMtbTBob0NjWTRxWTBwdHNRcFVDLXdZMDFLYmZ5NlNJTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jZXJ0L2ZhNjQ1Mjc1NTY3MGU2NzYzOTcwYjM3YTdkMzU2NDZmZjVlMyJ9",
  "signature": "WFSpjlpZIqpY-3h_hSeATiqVY9wl4rV5QTIZ3aFcW3EMzNoBV4iT6FRKCNznnvMCRS5nsMCwdAA25WvkqCwLb1y8FB09uuAvpdqpoher0HCSOvZ9-CP7mRGCHe92EQiW0yRjszsFJFBTwYjZihnvj4caVaZjFHzQi8ieSNO5rlC2z7mjL9KPfPdB4RxTRGIMVZdFKp1piU6U1xIzRiSLu8N2bxRUXOSc3F8sKXSx_i8fyb4cxxCILZv6p5axGMUORjF7wa8SlbeImt07VxkktU1Dl6NvwPnBsil95Z85E_UfZsd1eAJGbzYB0MdOc1gmc9XunanE3QLw7D1LV-KAYg",
  "payload": ""
}
2020-07-28 14:17:25,839:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/cert/fa6452755670e6763970b37a7d35646ff5e3 HTTP/1.1" 200 3554
2020-07-28 14:17:25,839:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 28 Jul 2020 04:17:25 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 3554
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa6452755670e6763970b37a7d35646ff5e3/1>;rel="alternate"
Replay-Nonce: 0001H6oL85J5jhhn9_2Q-W6gUciiDPqyYL808hMuzYmmaJA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgITAPpkUnVWcOZ2OXCzen01ZG/14zANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMDA3Mjgw
MzE3MjRaFw0yMDEwMjYwMzE3MjRaMBwxGjAYBgNVBAMTEXNsYXllci5ub29qZWUu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqLU6q3xlF60bBVai
KF3+aPVJmj97Vm2mD88L9aLGEfnuLvr1/LhRIhGocfY/fe17aBvLDzObzvOBJVpi
/988HmJnzisXaguuUYS+f0OccxL6pBe+0Bv9ztURxrHl3iSNhJZfmLc4KmcMHaCH
DNQ7hlcMv0EJ6RBlRIoQeJk6vD+H7oV+cFUsLB88x949ftEUSQ1JZNdiRMvHdMth
Aqy7x/I5d6cWBRIXlmDBYHguGwPRUBg9xnY3u5HbIGJeINiiFciSSKqBbcqOQnyY
f2qs7EuZKyzFq9OUvBpKy0yc7A/KaZJnzR/qEhidOcJJ4jEkgy7bydH/O44/xYrg
cf3+bQIDAQABo4ICbjCCAmowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT0lEo+do4O
4LeVS3IlyGEF1qy0hzAfBgNVHSMEGDAWgBTAzANGuVggzFxycPPhLssgpvVoOjB3
BggrBgEFBQcBAQRrMGkwMgYIKwYBBQUHMAGGJmh0dHA6Ly9vY3NwLnN0Zy1pbnQt
eDEubGV0c2VuY3J5cHQub3JnMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGct
aW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wHAYDVR0RBBUwE4IRc2xheWVyLm5vb2pl
ZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggr
BgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5
AgQCBIH1BIHyAPAAdgDGPyIYw31WpqoGtZbajlPU1xVtHpusjkTSIC3mTWnZ3AAA
AXOTo6yzAAAEAwBHMEUCICYfOtg31RwRwQQLbyAgRlfUZ+LkE8LMUVtfa5OI41Pm
AiEAoXbtA5vomL20scO4qewHnZIIFpgPAOTxBTB1cud+VWkAdgCwzIPlpfl9a698
CcwoSQSHKsfoixMsY1C3xv0m4WxsdwAAAXOTo6zbAAAEAwBHMEUCIQD4YOzgoZGE
nKjBKkksttt31/Qg+zFFS6hANgBgrBTJjAIgI1lqZm5L6M3+QNWIx7Somw/8o5kb
D0rcAWl/cR4a59YwDQYJKoZIhvcNAQELBQADggEBADtXjslTwYd7m43uLvaj2BZw
sozXc29CJSxQaU9eEsl4J0b+lU6FP0rzwSCJwvD1EzXvudIPYDnR+Q96EiIZbfkc
xx4N0odlvxXE0mKqG+zh3PWdk1cQerdw9vnIE/vqHLmW88VMPmofIc2jHMkKdfuY
KHfTuA5TcYzYTp9lrADUeSBmDiY97i3unsT3zetn1VeOhsDN/lqcTlEvhE/Wo/d0
cN/+KYRe52XPOlXQsrBgwhFxRDHlRpho2G3hNSu+i3YHkyKzyDXgMyOghmOwqHKg
k9J+sfkixyKXJlF3D285jn5VppRjw+vNCZEVy7qCj6pWTw3WKnylLvr9WOwo+cY=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----

2020-07-28 14:17:25,839:DEBUG:acme.client:Storing nonce: 0001H6oL85J5jhhn9_2Q-W6gUciiDPqyYL808hMuzYmmaJA
2020-07-28 14:17:25,840:INFO:certbot.client:Non-standard path(s), might not work with crontab installed by your operating system package manager
2020-07-28 14:17:25,840:DEBUG:certbot.storage:Archive directory /etc/letsencrypt/config/archive/slayer.noojee.org and live directory /etc/letsencrypt/config/live/slayer.noojee.org created.
2020-07-28 14:17:25,840:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/config/live/slayer.noojee.org/cert.pem.
2020-07-28 14:17:25,841:DEBUG:certbot.storage:Writing private key to /etc/letsencrypt/config/live/slayer.noojee.org/privkey.pem.
2020-07-28 14:17:25,841:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/config/live/slayer.noojee.org/chain.pem.
2020-07-28 14:17:25,841:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/config/live/slayer.noojee.org/fullchain.pem.
2020-07-28 14:17:25,841:DEBUG:certbot.storage:Writing README to /etc/letsencrypt/config/live/slayer.noojee.org/README.
2020-07-28 14:17:25,846:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer <certbot.cli._Default object at 0x7f9108098100>
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var staging=True (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var account={'server'} (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var pref_challs=dns (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var config_dir=/etc/letsencrypt/config (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var work_dir=/etc/letsencrypt/work (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var logs_dir=/etc/letsencrypt/logs (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var staging=True (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var authenticator=manual (set by user).
2020-07-28 14:17:25,846:DEBUG:certbot.cli:Var manual_auth_hook=/home/bin/certbot_hooks/dns_auth (set by user).
2020-07-28 14:17:25,847:DEBUG:certbot.cli:Var manual_cleanup_hook=/home/bin/certbot_hooks/dns_cleanup (set by user).
2020-07-28 14:17:25,847:DEBUG:certbot.cli:Var manual_public_ip_logging_ok=True (set by user).
2020-07-28 14:17:25,847:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/config/renewal/slayer.noojee.org.conf.
2020-07-28 14:17:25,848:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/config/live/slayer.noojee.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/config/live/slayer.noojee.org/privkey.pem
Your cert will expire on 2020-10-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

_az · July 28, 2020, 4:43am

If you have a valid authorization for a domain on your account, Let's Encrypt will not make you repeat it for some period of time.

Use --dry-run. Since 0.40.0, Certbot explicitly deactivates existing valid authorizations when using this flag, in order to force authorizations to be completed from scratch every time.

bsutton · July 28, 2020, 4:53am

Thanks for the info.

I’m not certain I agree with the decision on this one.

If I understand correctly the --dry-run switch won’t acquire certificates.

In order to do a complete test cycle I need to obtain the certificates and move them into place (as I’m using manual). The decision to not do a auth each time means that I can’t complete a simple test pass which checks the dns auth is working and my process to place the certicates is also working.

I’m building an docker container that contains nginx and lets encrypt. I have cli commands which acquire the cert, move the cert and then reconfigure nginx to use the certs. With the above limitation I can no longer do round trip testing.

_az · July 28, 2020, 4:55am

I see.

--dry-run does acquire the certificates, but it discards them instead of saving them.

The only other way to force fresh authorizations is to register a new ACME account every time. But that is subject to the account registration rate limits.

bsutton · July 28, 2020, 4:56am

Should I put in a feature request?

_az · July 28, 2020, 5:02am

You can try, but I have my doubts about it being accepted. Reason being that my initial design for authorization deactivation was actually an explicit --deactivate-authorizations flag (which would help you in this case), but on review we changed it to be part of --dry-run instead.

You could also try run a small embedded ACME server like Pebble and point Certbot at that, but that really depends what you’re trying to achieve with an E2E test.

bsutton · July 28, 2020, 5:06am

Pebble might have to do.

I do have to say this looks like a rather bad decision.

My understand is that staging is design to allow devs to test certificate acquisition. If I can’t do a full e2e test on demand then it feels like it has failed at its core premise.

_az · July 28, 2020, 5:18am

Fair enough. I shouldn’t have discouraged you from making a feature request, it’s would in fact be good to get a record of it and other users who need it can chime in. https://github.com/certbot/certbot/issues .

Thought I had in the shower - you could extend your integration test to do a certbot renew --dry-run. That would ensure that the hook is evaluated either 1 or 2 times, depending on ACME server state, and that renew actually works non-interactively.

system · August 27, 2020, 5:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.