Difference between revisions of "Certbot renew"

From wikieduonline
Jump to navigation Jump to search
 
(69 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
{{lowercase}}
 +
* <code>[[certbot]] renew</code>
 +
 +
Let’s Encrypt CA issues short-lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.<ref>https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates</ref>
 +
 +
* Configuration directory: <code>[[/etc/letsencrypt/renewal/]]</code>
 +
 +
== Examples ==
 +
* <code>[[certbot]] renew</code>
 +
* <code>certbot renew --quiet</code>
 +
* <code>certbot renew --quiet --agree-tos</code>
 +
* <code> [[certbot renew --nginx]]</code>
 +
* <code> certbot renew --[[dry-run]]</code>
 +
* <code>systemctl stop nginx && certbot renew && systemctl start nginx && systemctl status nginx && certbot certificates</code>
 +
 +
 +
[[certbot renew crontab entry]] to renew cert.
 +
 +
== [[Certbot renew configuration examples]] ==
 +
{{certbot renew examples}}
 +
 +
== Renew examples ==
 +
 +
=== No renewals were attempted ===
 +
certbot renew
 +
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 +
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
 +
No renewals were attempted.
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
 +
=== [[Cert not yet due for renewal]] ===
 
<pre>
 
<pre>
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 +
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
Processing /etc/letsencrypt/renewal/wikieduonline.com-0001.conf
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
Cert not yet due for renewal
 +
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
Processing /etc/letsencrypt/renewal/wikieduonline.com.conf
 +
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +
Cert not yet due for renewal
  
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  
 +
The following certs are not due for renewal yet:
 +
  /etc/letsencrypt/live/wikieduonline.com-0001/fullchain.pem expires on 2022-08-30 (skipped)
 +
  /etc/letsencrypt/live/wikieduonline.com/fullchain.pem expires on 2022-07-28 (skipped)
 
No renewals were attempted.
 
No renewals were attempted.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
</pre>
 
</pre>
  
<pre>
+
== With Errors ==
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
Processing /etc/letsencrypt/renewal/DOMAIN.com.conf
+
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
certbot renew
Cert is due for renewal, auto-renewing...
+
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
+
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to renew cert (DOMAIN.com) from /etc/letsencrypt/renewal/DOMAIN.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
+
Processing /etc/letsencrypt/renewal/YOUR_DOMAIN.com-0001.conf
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
+
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
+
Cert is due for renewal, auto-renewing...
 +
Plugins selected: Authenticator standalone, Installer None
 +
Renewing an existing certificate
 +
Performing the following challenges:
 +
http-01 challenge for YOUR_DOMAIN.com
 +
Cleaning up challenges
 +
Attempting to renew cert (XXXXXX.com-0001) from /etc/letsencrypt/renewal/XXXXXX.com-0001.conf produced an unexpected error: '''[[Problem binding to port 80]]''': Could not bind to IPv4 or IPv6.. Skipping.
 +
Solution:
 +
[[systemctl stop nginx]] && [[certbot renew]] && [[systemctl start nginx]] && [[systemctl status nginx]] && [[certbot certificates]]
 +
 
 +
certbot renew
 +
Processing /etc/letsencrypt/renewal/DOMAIN.com.conf
 +
 +
Cert is due for renewal, auto-renewing...
 +
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your  
 +
existing configuration.
 +
The error was: PluginError('An authentication script must be provided with --[[manual-auth-hook]] when  
 +
using the manual plugin non-interactively.',)
 +
Attempting to renew cert (DOMAIN.com) from /etc/letsencrypt/renewal/DOMAIN.com.conf produced an  
 +
unexpected error: The manual plugin is not working; there may be problems with your existing  
 +
configuration.
 +
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when  
 +
using the manual plugin non-interactively.',). Skipping.
 +
The following certs could not be renewed:
 
   /etc/letsencrypt/live/DOMAIN.com/fullchain.pem (failure)
 
   /etc/letsencrypt/live/DOMAIN.com/fullchain.pem (failure)
 +
 
 +
None of the preferred [[challenges]] are supported by the selected plugin. Skipping.
 +
 +
== [[DigitalOcean]] ==
 +
Doc: https://certbot-dns-digitalocean.readthedocs.io/en/stable/
 +
* <code>certbot renew --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini</code>
  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
== Related terms ==
</pre>
+
* <code>[[certbot certificates]]</code> (list certificates)
 +
* <code>[[certbot certonly]] -n -d example.com -d www.example.com</code>
 +
:<code>-d flag</code>
 +
* <code>[[certbot certonly --manual --preferred-challenges dns]]</code>
 +
* <code>[[/etc/cron.d/certbot]]</code>
 +
* <code>[[/var/log/letsencrypt/letsencrypt.log]]</code>
 +
* <code>[[/lib/systemd/system/certbot.service]]</code> and <code>[[/lib/systemd/system/certbot.timer]]</code>
 +
0 0 2,13 * * [[systemctl stop nginx]] && certbot renew; [[systemctl start nginx]]
  
 
== See also ==
 
== See also ==
 +
* {{certbot cmd}}
 
* {{certbot}}
 
* {{certbot}}
 +
 +
[[Category:Security]]

Latest revision as of 13:56, 19 November 2024

Let’s Encrypt CA issues short-lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.[1]

Examples[edit]

  • certbot renew
  • certbot renew --quiet
  • certbot renew --quiet --agree-tos
  • certbot renew --nginx
  • certbot renew --dry-run
  • systemctl stop nginx && certbot renew && systemctl start nginx && systemctl status nginx && certbot certificates


certbot renew crontab entry to renew cert.

Certbot renew configuration examples[edit]

/etc/letsencrypt/renewal/DOMAIN.com.conf
.../...
# Options used in the renewal process
[renewalparams]
account = t513041ebec01207237ef7251192397t
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True

or

# Options used in the renewal process
[renewalparams]
account = t513041ebec01207237ef7251192397t
pref_challs = http-01,
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory


Options:

pref_challs: dns-01 | http-01
authenticator: manual | standalone

Renew examples[edit]

No renewals were attempted[edit]

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal[edit]

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wikieduonline.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wikieduonline.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/wikieduonline.com-0001/fullchain.pem expires on 2022-08-30 (skipped)
  /etc/letsencrypt/live/wikieduonline.com/fullchain.pem expires on 2022-07-28 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

With Errors[edit]

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/YOUR_DOMAIN.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for YOUR_DOMAIN.com
Cleaning up challenges
Attempting to renew cert (XXXXXX.com-0001) from /etc/letsencrypt/renewal/XXXXXX.com-0001.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
Solution: 
systemctl stop nginx && certbot renew && systemctl start nginx && systemctl status nginx && certbot certificates
certbot renew
Processing /etc/letsencrypt/renewal/DOMAIN.com.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your 
existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when 
using the manual plugin non-interactively.',)
Attempting to renew cert (DOMAIN.com) from /etc/letsencrypt/renewal/DOMAIN.com.conf produced an 
unexpected error: The manual plugin is not working; there may be problems with your existing 
configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when 
using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
 /etc/letsencrypt/live/DOMAIN.com/fullchain.pem (failure)
 
None of the preferred challenges are supported by the selected plugin. Skipping.

DigitalOcean[edit]

Doc: https://certbot-dns-digitalocean.readthedocs.io/en/stable/

  • certbot renew --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini

Related terms[edit]

-d flag
0 0 2,13 * * systemctl stop nginx && certbot renew; systemctl start nginx

See also[edit]

  • https://eff-certbot.readthedocs.io/en/stable/using.html#renewing-certificates
  • Advertising: