Skip to main content
Server Fault

Return to Answer

Post Timeline

Commonmark migration
Source Link
Community Bot
Community Bot
  • 1

As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply

 

certbot renew

As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply

 

certbot renew

As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply

certbot renew

edited body
Source Link
slm
slm
  • 8.1k
  • 16
  • 60
  • 76

How todo I actually create a new certificate using the DNS challenge to start with?

How to I actually create a new certificate using the DNS challenge to start with?

How do I actually create a new certificate using the DNS challenge to start with?

Update answer with focus on `renew` vs `certonly`
Source Link
malte
malte
  • 346
  • 3
  • 9

when I run "certbot renew", will it renew all of them automatically without using my script?

Updated answer (see original answer below)

In my original answer I focused on the fact that the script you provided is not required when using the renew command. However, I did not make sure the renew command is actually applicable in this scenario.

As cdhowie and bobpaul in the comments state: certbot renew is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the --manual-auth-hook parameter. Said script must be capable of setting a TXT record. You can also provide another script to cleanup afterwards via the --manual-cleanup-hook parameter.

If you provide these parameters, the whole process will run automatically without any interaction.

If you do not provide these parameters, certbot will fail:

/opt/certbot # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foobar.w9f.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the certonly command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the -d parameter or in interactive mode.

when I run "certbot renew", will it renew all of them automatically without using my script?

TL;DR: Yes, it should.

How to I actually create a new certificate using the DNS challenge to start with?

How to I actually create a new certificate using the DNS challenge to start with?

when I run "certbot renew", will it renew all of them automatically without using my script?

TL;DR: Yes, it should.

How to I actually create a new certificate using the DNS challenge to start with?

Updated answer (see original answer below)

In my original answer I focused on the fact that the script you provided is not required when using the renew command. However, I did not make sure the renew command is actually applicable in this scenario.

As cdhowie and bobpaul in the comments state: certbot renew is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the --manual-auth-hook parameter. Said script must be capable of setting a TXT record. You can also provide another script to cleanup afterwards via the --manual-cleanup-hook parameter.

If you provide these parameters, the whole process will run automatically without any interaction.

If you do not provide these parameters, certbot will fail:

/opt/certbot # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foobar.w9f.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the certonly command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the -d parameter or in interactive mode.

when I run "certbot renew", will it renew all of them automatically without using my script?

TL;DR: Yes, it should.

How to I actually create a new certificate using the DNS challenge to start with?

added 546 characters in body
Source Link
malte
malte
  • 346
  • 3
  • 9
Source Link
malte
malte
  • 346
  • 3
  • 9