Re: Where is the renewal config file grammar documented?

Sorry, I can't reply to the existing thread where the context is, and I'm forced to create a new one.

Continuing the discussion from Where is the renewal config file grammar documented?:

Tried this with --server, --eab-kid and --eab-hmac-key because I have one cert that uses a different ACME authority than other certs, and therefore has to use different credentials.

certbot renew --non-interactive --standalone --http-01-port 8008 --allow-subset-of-names --force-renew --deploy-hook="service nginx reload" --server="" --eab-kid="(…)" --eab-hmac-key="(…)"

When I ran the --force-renew with the last three arguments it did work (didn't without them - I checked), but the credentials still do not appear in /etc/letsencrypt/renewal/ like I expect them to according to the above message. Is this the right beaviour? Or should I be doing something differently?

Using --force-renew yields answers like this Certbot failed to renew my cert - #2 by Osiris


I am not expert in ZeroSSL but I don't think those options are in the renewal config file. They are part of the account registration

See the Certbot docs and/or this github topic


If we're talking about the EAB, then yes, you won't find those in the renewal config: those two EAB-settings are only used when your ACME account is created. It's the job of the ACME server to remember the account binding internally on account creation.


That's right: --eab-kid and --eab-hmac-key are only relevant when registering the ACME account for the first time.

For subsequent invocations, all you need to remember is the --server flag, which is included in the renewal .conf file. Certbot has a certbot reconfigure command now which should be used in most cases instead of directly modifying those files or using --force-renewal.


Note that the reconfigure subcommand was added in Certbot 2.3.0. When using snap, I think this is automatically done somehow (personally I would HATE that..), but if you're not using snap, make sure you're upgraded to 2.3.0 or higher.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.