Swtiching certbot plugins. How to tell certbot for renew?


#1

My domain is: Lots, but for our purposes here https://perlucida.com
I ran this command: cerbot renew --dry-run
It produced this output:

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
Attempting to renew cert (perlucida.com) from /etc/letsencrypt/renewal/perlucida.com.conf produced an unexpected error: The requested nginx plugin does not appear to be installed. Skipping.

My web server is (include version): nginx 1.14
The operating system my web server runs on is (include version): Ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don’t know): yes

I have letsencrypt setup and working for several domains using Ansible to automate the process. Initially I was using the certbot nginx plugin but for various reasons have switched to certbot standalone. I’ve just done a dry run of certbot renew and notice the for certs that were generated with standalone renew wants to use standalone, whereas certs generated with nginx require nginx for renew.

In other words certbot remembers per cert which plugin was used for generation and wants to use it for renewal.

What is the best way to get certbot to use standalone for all certs now?
Is there something I can edit in /etc/letsencrypt or do I need to manually force renew each cert using standalone?


#2

Hi,

Yes, you could find all certbot configuration files stored in /etc/letsencrypt/renewal (please make backups before edit the file)

In the files, you could change the authenticator section from Nginx to standalone.

I believe you could also force the renewal to use standalone by adding -a standalone to the command

E.g. sudo certbot renew -a standalone --dry-run

Thank you


#3

The only thing to take care for when doing this is that you might also need pre-hook and post-hook entries related to stopping the web server (entirely depending on whether there is ordinarily a web server running on the same machine listening on port 80). You wouldn’t need this for the nginx authenticator but you might need it for the standalone authenticator.


#4

@stevenzhu Your second option does indeed work.

I opted to edit the renewal files as you described. Plus I removed the ‘installer = nginx’ line too since that was irrelevant to standalone.
Here are the commands I used in case anyone needs this in the future - use at your own risk :slight_smile:

cd /etc/letsencrypt/renewal
find ./ -type f -readable -exec sed -i "s/authenticator = nginx/authenticator = standalone/g" {} \;
find ./ -type f -readable -exec sed -i "/installer = nginx/d" {} \;

@schoen Uncanny, I read about pre-hook and post-hook seconds before looking at your comment. Much better than stopping the web server regardless of whether renewal is due. Changed my systemd service to:

ExecStart=/usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

Instead of calling systemctl independently of certbotrenew.

Thanks for your help, both of you!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.