Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
sudo /etc/letsencrypt/certbot-auto -q certonly --webroot -w /jet/app/www/default -d odisseo.io -d www.odisseo.io --config-dir /jet/etc/letsencrypt
It produced this output:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Successfully received certificate.
Certificate is saved at: /jet/etc/letsencrypt/live/odisseo.io-0001/fullchain.pem
Key is saved at: /jet/etc/letsencrypt/live/odisseo.io-0001/privkey.pem
This certificate expires on 2022-04-22.
These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
Now, please, a question:
The certificates are renewed in the background upon expiration without my having to do anything or in any case have to fill in a cron tab for renewal ?
If I try renew the certificate with a cron tab, someting like :
It should be enough to just run certbot renew --config-dir /jet/etc/letsencrypt without the other parameters. In fact, Certbot installed using the certbot-auto wrapper script and the Certbot installed through snap share the same configuration directory structure, so if you didn't also delete the stuff in /jet/etc/letsencrypt/ (assuming that's the same config dir as before), you probably could have run sudo certbot renew after you installed Certbot through snap. But that's not relevant any longer as you already have renewed your certificate.
One thing I did notice: your certificate now has a suffix -0001 which suggests you have two certificates which could be identical. Could you please run the following command and share the output?
That's weird, as your command stated you're using the --webroot plugin. That actually would require a working nginx? Could you show the contents of /jet/etc/letsencrypt/renewal/odisseo.io-0001.conf ?
It is true previously I used the webroot plugin but I can't understand what the command for renewal with webroot is ...
What I want to understand with webroot when I run the command : sudo certbot certonly --webroot -w /jet/app/www/default -d odisseo.io -d www.odisseo.io --config-dir /jet/etc/letsencrypt
this procedure is used to overwrite or expand the certificates and not to renew them and I can only use it manually.
Is there a command for automatic renewal with the webroot plugin to be inserted on the cron job?
previously with certbot-auto, by entering the command below on cronjob I was able to update the certificates automatically with webroot plugin: 47 14 * * * sudo /etc/letsencrypt/certbot-auto -q certonly --webroot -w /jet/app/www/default -d odisseo.io -d www.odisseo.io --config-dir /jet/etc/letsencrypt
As for your question, instead, I ask you the content of the file you requested
# renew_before_expiry = 30 days
version = 1.22.0
archive_dir = /jet/etc/letsencrypt/archive/odisseo.io-0001
cert = /jet/etc/letsencrypt/live/odisseo.io-0001/cert.pem
privkey = /jet/etc/letsencrypt/live/odisseo.io-0001/privkey.pem
chain = /jet/etc/letsencrypt/live/odisseo.io-0001/chain.pem
fullchain = /jet/etc/letsencrypt/live/odisseo.io-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 293ab014935c08da458ae0810b39dd74
config_dir = /jet/etc/letsencrypt
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /jet/app/www/default,
[[webroot_map]]
www.odisseo.io = /jet/app/www/default
It doesn't matter how you issued a certificate the first time, the renewal command is always sudo certbot renew with in your case (for some reason I don't understand) the extra command for the --config-dir.
Here it says the webroot authenticator is used for issuance and renewal, so nginx should be kept running.
The extra command for the --config-dir .
it is because the instance on compute engine is created with user access and not with access with root privileges, which is why I have to move the certificates to a directory with user-level permissions and after each update of the certificates, as certbot changes the permissions on directories, I have to then on cronjob enter the command to change the permissions again.
I understand it's not a very clean solution, but like a Woody Allen movie, Whatever Works sudo chown someuser:somegroup /jet/etc/letsencrypt/archive/odisseo.io/*
So my new definitive cronjob to renew certificates will be:
It seems the --config-dir option is also stored in the renewal configuration file as Rudy demonstrated above. (I missed that..) So you shouldn't need to add that option again to the sudo certbot renew command.
Also, you could add the -q (for quiet) option to the renew command, so you don't get annoying emails from Cron every time Certbot runs and does nothing.
Looks good to me. Although I don't understand why you have two cronjobs set up instead of just one.
If the certificate is configured to use the webroot plugin, it doesn't "use" nginx in the sense that it modifies nginx configuration and reloads it et cetera, but it of course uses nginx to serve the validation token from the specified webroot. But to do that, nginx needs to be running and shouldn't be stopped.
Also note that using the webroot authenticator plugin without the nginx installer plugin, you'd need to reload nginx after a succesful renewal. You can do that using a command in the cronjob, but you could also use the --deploy-hook option. That option could also be used for the chown command. See the Certbot User Guide for more info.
