I created a Let's Encrypt certificate in DNSimple a few days ago.

Now, I was trying to automate the process of renewing this Let's Encrypt certificate in a Ubuntu machine (with an nginx server) using the packages certbot and python3-certbot-dns-dnsimple (installed with apt).

However, I'm facing a couple of problems.

First, given that the certificate already exists in DNSimple, I thought I don't need to create it. So, I was not calling certbot certonly, but, to install it in /etc/letsencrypt/live/mydomain, I was executing the following command

certbot renew 
--force-renewal 
--debug 
--dns-dnsimple 
--dns-dnsimple-credentials path_to_file_with_dnsimple_api_token

But I always get the message No renewals were attempted. I can't really understand why. Do you know why? I looked at the certbot logs, but they don't have any other useful info. I tried to look for a solution on the web, but I couldn't find it yet.

This also does not create any folder /etc/letsencrypt/live/mydomain.

I created the DNSimple API token from the DNSimple interface, under User Settings > User access tokens.

Second, I thought this initial problem was due to the fact that renew may actually not work, unless there's already an installed certificate.

So, I decided to manually create the folder /etc/letsencrypt/live/mydomain, download the Let's Encrypt TLS certificate and key from DNSimple, and place them under /etc/letsencrypt/live/mydomain, but certbot certificates gives me the message No certs found. Why? Is there a way to make certbot aware of these certificates. I tried certbot update_links, but it did not help - I honestly don't know what this command really does.

In any case, even after I did this, the certbot renew ... gives me the same message, even if I specify the certificate path and key with the options --cert-path path_to_certificate and --key-path path_to_key

So, my ultimate goal is to basically use certbot (and python3-certbot-dns-dnsimple) to automatically renew and install the Let's Encrypt TLS certificates that are in DNSimple. What am I missing to do that?

Correct. When Certbot gets a cert it sets up a renewal profile config file that is used for the renew command. It can only renew certs that it originally requested.

So, use something like certbot certonly --dry-run --dns-dnsimple ...

and the rest of the needed options

This will test the request. If that works remove --dry-run for a production cert

I don't see a domain name nor a cert name to renew in your request.

Also, please stay away from using:

@rg305 Why should I stay away from --force-renewal? Can you be more specific? Thanks.

Do you also have a specific suggestion to solve my main problem?

To recap, my ultimate goal is to get the certificate from DNSimple. Actually, DNSimple is already configured to automatically renew the certificate, so I don't need to renew it. I only need to download it and install it automatically.

Apparently, certbot is not really meant for this purpose, as it seems to be meant to actually renew the certificate (or get a new one), and place it somewhere. But I only need to "place it somewhere after you fetch it from DNSimple". Am I missing an option to do this? Any suggestions?

Forcing renewal for a perfectly fine certificate on the production environment is wastfull and almost never necessary. It only increases load on the ACME server and can/will lead to hitting rate limits.

What do you mean with "a certificate from DNSimple"? I thought they only did DNS stuff? I didn't know they also issued certificates.

Thanks for the clarification.

They issue certificates through Let's Encrypt.

Isn't that the reason why there's the dns-simple plugin for certbot?

What I'm asking seems to be so simple, but I'm facing too many issues.

No, the plugin is only used for adding (and subsequently removing after usage) the DNS TXT resource record (RR) used for validating the domain name. Validation is necessary for getting a Let's Encrypt certificate. (Or any publicly trusted certificate for that matter.)

Certbot is an ACME client which can communicate with ACME servers such as the Let's Encrypt ACME service. Certbot will get a certificate from Let's Encrypt and this process requires validating the hostnames for which a certificate is going to be issued.

One method of validating hostnames is using the DNS with aid of TXT RRs. And if your DNS provider is DNSimple, you could use the certbot-dns-dnsimple plugin for that validating process.

However, there are also other methods of validation, such as the http-01 challenge, which could use your already existing nginx to validate your hostname(s) using HTTP on port 80.

Is there a specific reason why you're explicitely using DNSimple for the validation process? How did you learn about that?

It may seem simple in your head.
But the words you have used thus far don't convey your thoughts clear enough for me to understand what problem you are trying to overcome.

What shows?:

certbot certificates

@rg305 I don't think I can be clearer. I explained exactly what is going on.

In my original post, I wrote the answer to your last question.

This suggests that you've not carefully read my post.

It is not that no one has read your post. It's that your use case makes no sense.

An ACME client typically runs directly on the user infrastructure and DNS records are updated using an API. Let's Encrypt certificates are not normally issued on your DNS provider's web infrastructure and then copied. While this is certainly possible, the certificates would normally be copied to the application that needs the certificates, not a competing ACME client.

If you want to use certbot, request the certificates from certbot. If you want to use DNSimple's web based ACME client, use it, but don't expect that you can drop certificates into certbot folders and have certbot know what to do when you ask it to renew a certificate that it did not obtain.

Maybe you missed the part where I don't get paid to be here.

Maybe it is you that needs to read, and write, more clearly.

@rg305 The problem is this: you claim that my post is unclear while you clearly didn't fully read it. I'm not saying you're paid and you're supposed to catch everything I wrote, but at least don't claim that my post is unclear while clearly you've not fully read it.

Your proof is circular - which is no proof at all.
I read it - every word.
I'm not going to go back and read it again.
Nor am I going to post here any further.
Best of luck to you.

Cheers from Miami

@linkp Yea, maybe certbot was not meant to do what I need. I was already afraid of this. Maybe there's a different an API that allows me to do that.

@rg305 You asked me to tell you what is the output of certbot certificates, while I write that in my original post. I don't understand why you keep lying, but ok. Fine. Cheers.

Did you try this:

You may have better results if you describe what you actually need, rather than the unexpected results you have encountered on the steps that you think you should take to get there.

It avoids the XY problem and the problem of the audience not being privy to assumptions that are obvious only to you. Depending on the goal, it may be worth starting a new topic for the sake of clarity.

@linkp

I already described what I needed above.

I'm going to quote myself

To recap, my ultimate goal is to get the certificate from DNSimple. Actually, DNSimple is already configured to automatically renew the certificate, so I don't need to renew it. I only need to download it and install it automatically.

Apparently, certbot is not really meant for this purpose, as it seems to be meant to actually renew the certificate (or get a new one), and place it somewhere. But I only need to "place it somewhere after you fetch it from DNSimple". Am I missing an option to do this? Any suggestions?

You need to talk with DNSimple to find out what they offer for that. It would be part of their infrastructure and nothing directly with Let's Encrypt

No, Certbot is not for that. Certbot will acquire and renew certs automatically. It will optionally "install" them in Apache or nginx. For other web services you configure those manually to use these certs.

I don't know why you object to using Certbot if DNSimple is not providing what you want. But, it's your call. Choose your favorite option