Why does certonly set installer?

I just ran certbot --apache certonly -d mydoma.in because automatic renewal was trying to use standalone but the port was not available. I got the following diff in my config:

@@ -9,6 +9,7 @@ fullchain = /etc/letsencrypt/live/mydoma.in/fullchain.pem
 # Options used in the renewal process
 account = 123456789101112131415
-authenticator = standalone
+authenticator = apache
 server = https://acme-v02.api.letsencrypt.org/directory
 key_type = rsa
+installer = apache

So why does the installer change when I select certonly? Or does that option mean something other than what I think?

Not a certbot expert, but I think your --apache option conflicts with certonly. --apache sets both the authenticator & installer to apache.

What you probably want is something like this:

certbot certonly --authenticator apache -d <domain>

From the docs:

--apache          Use the Apache plugin for authentication & installation
                  Authenticator plugin name. (default: None)
                  Installer plugin name (also used to find domains).
                  (default: None)

Hi @_simon, and welcome to the LE community forum :slight_smile:


The installer value in the renewal config is ignored for renew command. Because of authenticator=apache it will make temp changes to your Apache config and reload Apache when complete.


Only certbot [run] and certbot install will update SSLCertificateFile in the web server configuration. Renewal will cause a web server reload only.

from here:


Since Certbot version 1.23.0, if an installer is specified, the installer plugin will reload that specific webserver, even when certonly is used. See If an installer is provided to certonly, restart after cert issuance by wgreenberg · Pull Request #9184 · certbot/certbot · GitHub for more information.

So there is a difference between certbot certonly --apache and certbot certonly -a apache -i none.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.