Understanding webroot renewals (dry-run errors out)


I need help understanding how Webroot is managing to issue a certificate renewal despite my NGINX config not publicly serving .well_known directory.

In fact, if I run this command:
certbot certonly --webroot --webroot-path /usr/share/nginx/html/ --renew-by-default -d .com the certificate is issued.

However if the same command is ran with --dry-run; the client errors out as I ‘expect’ saying “Failed authorization procedure. .com (http-01)”

I am in the process of automating the generation of certificates using Ansible and would like to understand this behaviour.



When you pass any kind of ownership challenge for your domain, Let’s Encrypt stores an authorization for that domain (associated with your account key) that gives you the ability to issue additional certificates for a certain period (currently 90 days, probably going to be changed to ~7 days in the future). My best guess is that you successfully passed a http-01 (webroot) challenge at one point, and the authorization you got is still valid, so Let’s Encrypt doesn’t bother to check whether you’re actually able to solve the challenge again.

Since the staging environment (which is what’s used when you run with --dry-run) doesn’t share the same database as production, you don’t have a valid authorization associated with your account key there, so no luck without passing the challenge.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.