Renew existing certs failing - tried --renew-by-default as well as force-renewal


#1

Hi, I tried to renew - this always used to work in the past, and nothing has changed… I run my sites in a docker container, so I simply execute the renewal command using docker exec into the container - same as I’ve always done.

The container uses letsencrypt version 0.4.1

My domain is: (multiple)

hobbyistcoder.com,www.hobbyistcoder.com,carmenmarcelphotography.co.uk,www.carmenmarcelphotography.co.uk,shogan.co.uk,www.shogan.co.uk,specialairsolutions.co.za,www.specialairsolutions.co.za

I ran this command:

letsencrypt --renew-by-default --domains $UPDATED_DOMAINS (this variable contains the comma separated list of domains as per above)

It produced this output:

My web server is (include version): Apache 2.4.18 (debian)

The operating system my web server runs on is (include version): Ubuntu Debian 16.04 (Docker container)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

TLS-SNI-01 validation, used by the Apache plugin, is currently disabled by Let’s Encrypt for security reasons.

It may require a little setup, but you can use HTTP-01 validation with the Apache installer.

Version 0.4.1 is pretty old. I don’t remember exactly, but I think the Python dialog error thing is a bug with displaying errors that was fixed in a more recent version of Certbot.

--renew-by-default was renamed to --force-renewal. They’re equivalent. You should almost never need to use them, since they can cause unnecessary and excessive renewals.


#3

Thanks. This led me down the path to fixing. I needed to use the webroot method as I was doing this on the docker container where my apache2 service was already running.

What I did to resolve:

  • Update my Dockerfile to include adding of apt repository for certbot, and installation of certbot in the image.
  • brought my container down and up again with a rebuild using docker-compose
  • certbot latest version now available inside the container
  • ran certbot command listed in the thread linked above, using the webroot method, and passing in multiple domains + multiple webroot paths for the .well-known files to sit in. Importantly, if you get any one of those paths wrong, the entire cert renewal will fail, so all of them need to be correct and work.

After this my renewal worked, and I now have an up-to-date custom docker image too with latest certbot.

Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.