Should I remove --no-bootstrap, and --no-self-upgrade options when running certobot-auto automatically?


#1

Hi, I’m developing a program to automatically renew my SSL certificates for my server.

Currently, the command to renew SSL certificates is /opt/certbot-auto certonly --keep --no-bootstrap --no-self-upgrade --non-interactive --webroot -w /usr/share/nginx/html -d myDomain.

I’m wandering if I should remove --no-self-upgrade options in the command. Because if I don’t upgrade certobot-auto, I’ll get a warning saying Attempting to parse the version <new_version> renewal configuration file found at XXX with version <old_version> of Certbot. This might not work.. I’m afraid some day in the future, the program will not be able to renew the SSL certificates on my machine if I don’t upgrade certbot-auto.

If I remove --no-self-upgrade, should I also remove --no-bootstrap? Because new versions of certbot-auto might have different OS dependencies.


#2

Just remember if you requested your certificates that way that information is written into the .conf file in /etc/letsencrypt/renewal so you should check any of your .conf files there for any of those paramaters you used when obtaining the certificate. Your renewal command should then just be a simple ./certbot-auto renew


#3

I’d rather keep both parameters when running the command non-interactively. From a system operator’s view, automatic software updates could interfere with the intentional job: renewing the certificates. If one wants to update the software, the update process should be supervised.


#4

That could only happen if the certificates were created or previously renewed by a newer version of Certbot.

If there are multiple versions of Certbot installed, why not use the newest one for renewing, and get rid of the others?

If there’s only one version, it will never complain about renewing a certificate it created, even if it’s objectively old.


#5

Thank you for letting me know that this could only happen if the certificates were created or previously renewed by a newer version of Certbot. I didn’t know this.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.