Renewal automation on Windows

I've installed CertBot on Windows 2016 server and use Apache as http server.
I've create certificate with no problem at all, and I'm using it without problem

Command:
certbot certonly -c c:\app\Certbot\cli.ini --non-interactive

Config file

email = gestion@comperargentina.com.ar
authenticator = webroot
webroot-path = d:\www
agree-tos = true
domain = gestion.comperargentina.com.ar
config-dir = c:\app\Certbot
work-dir = c:\app\Certbot\lib
logs-dir = c:\app\Certbot\log

Now I'm want to automate renewal process. For that I've run creation command again and got following output:

c:\app\Certbot>certbot certonly -c c:\app\Certbot\cli.ini --non-interactive
Saving debug log to c:\app\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate


Certificate not yet due for renewal; no action taken.


That of course has sence because certificate was just created. That takes to my first question, how many days before due date are certificates considered renewables?

When a certificate is renewed with certonly, does param --deploy-hook DEPLOY_HOOK used?
Can put any executable (batch included) in DEPLOY_HOOK param?

Thanks in advance for your help.
Regards

30 days by default.

Yes, the --deploy-hook is used for certs issued with certonly too.

I think that should be possible, yes.

Note that usually one would use certbot renew to renew all certs and not run the initial command over and over again.

2 Likes

I ran this command:

c:\app\Certbot>certbot renew -c c:\app\Certbot\cli.ini --keep-until-expiring --n
on-interactive
Saving debug log to c:\app\Certbot\log\letsencrypt.log
←[31mCurrently, the renew verb is capable of either renewing all installed certi
ficates that are due to be renewed or renewing a single certificate specified by
its name. If you would like to renew specific certificates by their domains, us
e the certonly command instead. The renew verb may provide other options for sel
ecting certificates to renew in the future.←[0m

It's shown as an error on log file but I don't what I'm missing here.

Please show output of:
set XDG_CONFIG_HOME
If empty, set that variable to: "c:\app\Certbot"

See OP. It contains a few directory settings, so I think it is necessary.


I don't fully understand what certbot is complaining about? @zeeh1975 could you share the contents of c:\app\Certbot\log\letsencrypt.log ?

letsencrypt.log content

2021-05-27 13:58:02,216:DEBUG:certbot._internal.main:certbot version: 1.15.0
2021-05-27 13:58:02,216:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2021-05-27 13:58:02,216:DEBUG:certbot._internal.main:Arguments: ['-c', 'c:\app\Certbot\cli.ini', '--keep-until-expiring', '--non-interactive']
2021-05-27 13:58:02,216:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-27 13:58:02,246:DEBUG:certbot._internal.log:Root logging level set at 20
2021-05-27 13:58:02,246:INFO:certbot._internal.log:Saving debug log to c:\app\Certbot\log\letsencrypt.log
2021-05-27 13:58:02,251:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "runpy.py", line 194, in _run_module_as_main
File "runpy.py", line 87, in run_code
File "C:\Program Files (x86)\Certbot\bin\certbot.exe_main
.py", line 18, in
sys.exit(main())
File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 15, in main
return internal_main.main(cli_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1435, in main
return config.func(config, plugins)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1328, in renew
renewal.handle_renewal_request(config)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py", line 414, in handle_renewal_request
raise errors.Error("Currently, the renew verb is capable of either "
certbot.errors.Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
2021-05-27 13:58:02,292:ERROR:certbot._internal.log:Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

Setting that env var has no effect.

The "set" only shows the currently set value.
If empty, then set it to the directory where your cli.ini file is.

example:

>set x
Environment variable x not defined

>set x = 1

>set x
x = 1

This is what I've done

c:\app\Certbot>set XDG_CONFIG_HOME=c:\app\Certbot

c:\app\Certbot>echo %XDG_CONFIG_HOME%
c:\app\Certbot

c:\app\Certbot>certbot renew -c c:\app\Certbot\cli.ini --keep-until-expiring --n
on-interactive
Saving debug log to c:\app\Certbot\log\letsencrypt.log
←[31mCurrently, the renew verb is capable of either renewing all installed certi
ficates that are due to be renewed or renewing a single certificate specified by
its name. If you would like to renew specific certificates by their domains, us
e the certonly command instead. The renew verb may provide other options for sel
ecting certificates to renew in the future.←[0m

Try running the command now without the -c c:\app\Cetbot\cli.ini
[which should NOT be needed]

--non-interactive also seems unnecessary

and perhaps --keep-until-expiring could be included in the cli.ini ... ???

Or maybe order matters and renew should go last; so that it has nothing to the right of it - and won't imply "renew this"

The docs are short on information about cli.ini file.
It's hard to see what can be put in there and how.
Perhaps
domain = gestion.comperargentina.com.ar
is what is throwing this all off.

Parameters seems to be the problem

c:\app\Certbot>certbot renew
Saving debug log to C:\Certbot\log\letsencrypt.log


No renewals were attempted.


Do I have any chance to test renewal process like change certify expiry term?

1 Like

Yes, the default can be changed in the renewal config file.

Please show:
certbot certificates
and the renewal config file for that domain.

1 Like

If I look at the certbot code, it seems it doesn't like the domain option from your cli.ini.

The error seems to be triggered by all kinds of domain stuff:

And your cli.ini contains:

You should probably remove the domain part I quoted above and only use the -d option as a command line option only when issuing a new certificate. It's not meant to be used as input for every step, including renewal.

2 Likes

I will try that.
Does renew take in count original creation method, webroot in this case?

Yes, most if not all options are stored in the renewal configuration file. If we take a look at all options in your cli.ini:

  • email is only used when generating a new account, usually just once the first time you connect to an ACME server.
  • authenticator is usually only used for the first issuance of a certificate and is stored in the renewal configuration file. If you mix authenticators between certificates, setting this option in cli.ini would be very clumsy, as the cli.ini would interfer with an authenticator set on the command line at renewal;
  • webroot-path: stored in the renewal configuration file too;
  • agree-tos: see email
  • domain: see my previous post: don't set it in cli.ini
  • config-dir, work-dir and logs-dir: probably the only options usefull in cli.ini.
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.