-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webroot_map entries missing for re-issues with added domains #9936
Comments
I can't reproduce the failure of the renewal (with the most recent Certbot, not sure if that matters). Even with a completely empty Can you perhaps show the failure? Preferably with the entire Certbot log, which was also one of the headers of the initial template which you conveniently removed 😉 |
The renewal will result in this error: Plugins selected: Authenticator webroot, Installer None (You can set this with the --webroot-path flag). Skipping. All renewal attempts failed. The following certs could not be renewed: If your [[webroot_map]] is empty or has domain(s) missing, the renewal only works within the first 7? days, where LetsEncrypt does not actively revalidate the domain. |
Let's Encrypt caches valid authorizations for 30 days, but I tested using My Certbot does not produce your error when I test your setup.. While making sure no valid authz were present on the staging server, I ran:
And the renewal worked flawlessly (with new authorizations due to the
Thus not requiring any separate webroot paths in the webroot map.. Can you perhaps provide the log and the renewal configuration file? That said I do notice while testing what you mean: when an authz is already valid, it won't be present in the webroot map. Whether this actually a problem or not, I'm not sure, because even without a complete webroot map, Certbot seems to be able to figure out the correct webroot paths with the partial webroot map and the Thus, how hard I try, I'm unable to reproduce your issue with Certbot 2.10.0. |
Seems you are right, after some more testing I can confirm that on a Debian 12 it will renew the certificate despite missing [[webroot_map]] entries. (only older versions of certbot fail in such cases) |
My operating system is (include version):
Debian 12.5, x64
I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
OS package (certbot 2.1.0-4)
I ran these commands:
Certbot's behavior differed from what I expected because:
The file /etc/letsencrypt/renewal/primarydomain.tld is missing the [[webroot_map]] entry for primarydomain.tld and only contains the one for secondarydomain.tld
This happens when the delete and "reissue" of a certificate happens within the timeframe (~7 days for LetsEncrypt?) where the previously already validated domains of the certificate do not need a re-validation.
In these cases certbot will only add the newly validated domain(s) to the webroot_map, causing the next auto renewal of this certificate to fail.
The text was updated successfully, but these errors were encountered: