Renew certificates one at a time

Help
1

My domain is: NA

I ran this command:
/usr/bin/letsencrypt renew --standalone

It produced this output on the console:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/server1.<mydomain>.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/server2.<mydomain>.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/server2.<mydomain>.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Issue is incase we have 100 servers for which we need to generate certificate. If there is failure with the certification generation for any one server, then it is very difficult to figure out from the standard output.

under /etc/letsencrypt/renewal, we have multiple configuration files with following content :

/etc/letsencrypt/renewal/server1..com.conf
/etc/letsencrypt/renewal/server2..com.conf
...

and each conf file has following content:

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/server1.<domain>.com
cert = /etc/letsencrypt/live/server1.<domain>/cert.pem
privkey = /etc/letsencrypt/live/server1.<domain>/privkey.pem
chain = /etc/letsencrypt/live/server1.<domain>/chain.pem
fullchain = /etc/letsencrypt/live/server1.<domain>/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = <id>
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

how do i script the certificate generation one at a time so that i can detect failures?
example -

for CONFFILE in $(/etc/letsencrypt/renewal/*.conf)
do
    /usr/bin/letsencrypt renew  --standalone --input $CONFFILE > $CONFFILE.log
done

please advice.

My web server is (include version): NA

The operating system my web server runs on is (include version): ubuntu 20.04.4

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

2

correction:

3

Hi @puneet336, and welcome to the LE community forum :slight_smile:

That could use an update.

Certbot will only try to renew certificates when they are close to expiry.
All failures would be documented in the log file.

What shows?:
certbot certificates

1 Like
4

Use the --cert-name option.

The certificate name is simply the file name of the renewal configuration file minus the .conf extension.

That said, if you run certbot renew (the letsencrypt name is very, VERY old. Like, 8 years old or so? It was renamed to certbot way back..) with the -q option for --quiet, you should only see the errors I think.

2 Likes
5

Thank you for the response ,

i see following in stdout:

root@serverX:/opt/scripts# certbot certificates
/var/log/letsencrypt/letsencrypt.log
1 Like
6

no certificates?

2 Likes
7

Thanks for the response @Osiris

I see dont see --cert-name option in the help menu

root@server:/opt/scripts# /usr/bin/letsencrypt  --help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@server:/opt/scripts#
8

That must be a very old certbot [indeed].

3 Likes
9

It's not documented very well, but you can see it being mentioned at the revoke subcommand. It should also work for renew.

And also indeed, please update your Certbot, it's already at 3.0.1. (Not that the --cert-name option is better documented in the --help text though :roll_eyes:).

Further more, it's mentioned 26 times in the user guide (but that user guide is always for the latest version of Certbot and you cannot see the guide for older/ancient versions).

3 Likes
12

Thank you for the response. I have upgraded the certbot version to 3.0.1 as recommended by @Osiris .

Is there a way to pass a default response to the certbot command and skip the interactive prompt?. i.e. i just want to renew the certificate by keeping 2) option as the default response.

 bin/certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /etc/letsencrypt/godaddy-credentials.ini -d server003.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/server003.mydomain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
13

You should only get prompted when making a "fresh" cert request which is what certbot certonly does.

You could also do certbot renew --cert-name name and that shouldn't prompt. Note this is the cert name not a domain name(s). See certbot certificates

I'm not sure if that fits the automation you have. There is the option below which might work with the certonly option.

-n, --non-interactive, --noninteractive
Run without ever asking for user input. This may require additional command line flags; the client will try to explain which ones are required if it finds one missing (default: False)

1 Like
14

Thank you @MikeMcQ , i will check the suggested flags.

i found a way to make it work within current automation:
echo 2 | bin/certbot certonly --authenticator dns-godaddy --dns-godaddy-credentials /etc/letsencrypt/godaddy-credentials.ini -d server003.mydomain.com

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.