Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--no-auto-renew flag results in manual renew failure with misleading error message #9875

Open
PotatoFamilyRepos opened this issue Jan 16, 2024 · 1 comment
Open

--no-auto-renew flag results in manual renew failure with misleading error message #9875

PotatoFamilyRepos opened this issue Jan 16, 2024 · 1 comment

Comments

@PotatoFamilyRepos
Copy link

PotatoFamilyRepos commented Jan 16, 2024
edited

My operating system is (include version):

Ubuntu 22.04.3 LTS

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

snap

I ran this command and it produced this output:

certbot --nginx --no-auto-renew --server my.acme.server
and then, via my own renewal strategy,
certbot renew
Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my.domain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/my.domain/fullchain.pem expires on 2024-01-16 (skipped)
No renewals were attempted.

Certbot's behavior differed from what I expected because:

The cert was expired by over a day, and was showing as expired in the browser.

Mitigation

Remove
autorenew = False
from config file.

While I used --no-auto-renew because I did not want the snap timer renew to run, it seems it instead prevents certbot renew from renewing it when manually run (without the domain?) as well.

Solutions/comments

  • Error message should state that the domain did not renew because renewal is disabled.

This may be a 'read the manual' situation, but the 'not yet due' error sent me on an absolute wild goose chase of time zone debugging, cron debugging, trying to figure out if the cert was actually getting applied, etc.

There are some other unanswered questions in search results that smell the same, so hopefully this will be indexed as an answer as well.
@osirisinferi
Copy link
Collaborator

osirisinferi commented Jan 17, 2024
edited

Personally I'd say it's part "RTM" and part indeed confusing and inconsistent output of Certbot.

I'd rather see Certbot outputting something like "autorenewal disabled".

That said, there still is no way to re-enable autorenewing again without manually editing the configuration file (see #9283 and #9285), so maybe this whole --no-auto-renew should be yanked entirely? I don't know how many users use this feature, but it's only partly implemented IMO and leads to confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@osirisinferi @PotatoFamilyRepos