On reinstall certbot will recreate the timer - So I don’t think that will give you the desired result you look for.
I tried doing a renewal dry-run to see if things work with the change to crontab, even though that doesn’t quite sound like the right way to do it—don’t know if this is helpful for troubleshooting or not:
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/irwin.sat.iit.edu.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for irwin.sat.iit.edu
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/irwin.sat.iit.edu/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/irwin.sat.iit.edu/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Please show file:
/lib/systemd/system/certbot.service
It seems that your setup is able to renew successfully using http-01, so it should switch over automatically when tls-sni-01 is disabled in February.
You can of course continue trying to switch early, if you want to.
1 Like
Hi Rudy:
Any tips on where to find the certbot timer on Ubuntu 16.04.5?
Then I just add in the command like in crontab?
15 3 * * * /usr/bin/certbot renew –quiet --preferred-challenges http
Thank you!
–Joe
Hi Rudy:
Here’s the contents of certbot.service:
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
Thank you!
That is what is run by the timer.
If that doesn't work from the command line, you would need to change it.
But it looks like that works from the command line.
Hi John:
What’s the procedure to change over to the new system on Ubuntu 16.04.5 running Nginx?
Thank you for all your help!
–Joe
There are a few ways. One option is to force an immediate renewal using the new validation method:
certbot renew --force-renewal --preferred-challenges http-01,dns-01
That will renew all your certificates immediately (even if they’re not yet due for renewal) and if it succeeds, will update the configuration files for each one to remember the new settings for next time. Other possibilities include modify the renewal configuration files in /etc/letsencrypt/renewal/ directly, or adding a line to /etc/letsencrypt/cli.ini, or modifying the commands in cron and systemd directly. Personally I’d recommend forcing an early renewal over the other options, unless you have reason to believe you’re close to the rate limits.
Again, though, it’s probably not even necessary to do this in your case.
1 Like
Hi Rudy:
certbot -q renew runs from the command line……so where do you make the changes to switch over to the new system?
Thank you for your patience and continued help!
–Joe
The switch is already in place.
We just needed to test that it worked and if it need any extra switches.
It looks good (as is).
Hi John:
I tried what you suggested, and here’s what I got—it looks like everything worked!!!
So does that mean I am on the new renewal system now?
THANK YOU for all your help and patience!
Regards,
–Joe
If you tried to attach something there, I guess the forum software removed it. But if that worked with no errors then yes you should be all good now.
1 Like
Hi John:
Looks like the forum software removed the terminal output—here’s what it was:
certbot renew --force-renewal --preferred-challenges http-01,dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/irwin.sat.iit.edu.conf
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for irwin.sat.iit.edu
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/irwin.sat.iit.edu/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/irwin.sat.iit.edu/fullchain.pem (success)
So, it looks like forcing the renewal with the preferred challenges tags appended fixes everything!
THANK YOU for this simple fix!
Have a great weekend!
–Joe
2 Likes
Hi John:
I just got an email from LetsEncrypt.org’s automated message system below.
Does this mean the changes you had me to try last week didn’t work, or is everything still OK?
You had me run this command for my Ubuntu 16.04.5 server using Nginx:
certbot renew --force-renewal --preferred-challenges http-01,dns-01
Thanks for all your help!
Regards,
–Joe
Both are true:
- There exists a cert for your domain that was issued using TLS that will soon expire [thus the need for the email].
- If “certbot renew --force-renewal --preferred-challenges http-01,dns-01” worked, you don’t need to do anything else on that system (for it to be able to use http for renewals).
So (for now) I would ignore any emails related to that IP.
1 Like
Thank you Rudy for the quick reply—that’s a relief!!!
I am only a classroom high school teacher attempting to leverage open source software to help my physics students…so I am definitely way out of my league!
I appreciate your time in helping me navigate these changes….thank you very much!
Sincerely,
Joe Liaw
2 Likes
No worries.
Glad to help to those that educate anytime!
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.