Wildcard certificate automatic renewal


I have configured a wildcard cetificate, following the instructions available at Certbot’s website
at the following URL: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

I have Ubuntu 18 running with the web server NGINX and Amazon Route53 as the DNS provider.

I have successfully issued the wildcard certificate, however I’m not sure if the automatic renewal configuration is working. As instructed, I have issued the command sudo certbot renew --dry-run
and I got the following output:


Since the instructions doesn’t explain what would be the expected result, I’m not sure if the automatic feature has been successfully configured or not.

I would apreciate any help on this.

Best regards, André Granville

That output suggests that Certbot has no certificates configured whatsoever, so there is nothing to test with --dry-run.

What is the output of

sudo certbot certificates

Hi _az,

Thanks for your reply.

Indeed, the sudo certbot certificates returns No certs found, altougth I have received the congratulations message from certbot and also the web browser correctly sees it:

I have just found out what happened. I have configured the certificate in the following directory:


For some reason, when I create the wildcard certificate without explicitly setting a path (the certificate is create at /etc/letsencrypt/live), certbot recognizes the existence of the certificate, when issuing the sudo certbot certificates command

Any ideas why certbot couldn´t find it at /home/ubuntu/letsencrypt/config/live ?

Regards, André

1 Like

Certbot should be saving into /etc/letsencrypt unless you override it with environment variables It shouldn’t be going into /home/ubuntu/letsencrypt/config/live unless you pass in explicit arguments.

Two possibilities come to mind:

  1. I believed in Ubuntu18.04 there was a change in which invoking sudo changes the environment from the user to root.

  2. There could be some sort of environment variable set.

Certbot accepts the following args that I often use to change the directory; there may be more now but this is from one of my local scripts:

certbot --config-dir /webserver/environments/certbot/config \
		--work-dir /webserver/environments/certbot/work \
		--logs-dir /webserver/environments/certbot/logs 

It shouldn’t be looking there, unless this is related to the new “snaps”.


I was overriding the default certbot path, setting it to /home/ubuntu/letsencrypt/config.
Probably has to do with the first possbility pointed out by you, regarding the sudo invocation.

1 Like

I’m a little confused.

The first thing I wanted to write is: instead of sudo certbot renew --dry-run , you just need to add the same flag(s) used to obtain the certificate:

sudo certbot renew --dry-run  --config-dir={WHATEVER_YOU_HAD_BEFORE}

Certbot just doesn’t know to look in the alternate directory you set things up with.


Your comments/text suggest that you might want the opposite to happen.

I’m not sure exactly where you want the certs to be, but hopefully I’ve pointed you in the right direction regarding the directory overrides.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.