-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
renew --allow-subset-of-names causes removed failures to not be renewed again during normal run #7922
Comments
AFAIK the renewal config file has never been used to define the SAN list for the certificate. I don't think there's any such option in the renewal config file. The lineage's latest certificate is used to determine the SAN list for the next renewal. Maybe this is a documentation fix to warn that
Could you share what the file looks like? Are you referring to the webroot map for the webroot authenticator? |
Yes, perhaps that is the solution. I had no idea the latest certificate was used to determine the SAN list but imagined the renewal configuration would be taken into account. That explains my issues, then.
Yes.
For reference, bowser.* failed due to a misconfiguration in Apache (duplicate entries for the vhost, the latter pointing to another location than the webroot) and wiki.* failed due to 401. |
As @alexzorin notes, the Certbot option That would be a totally different mechanism than exists in Certbot right now, as there is no official way that Certbot can track desired or aspirational names. I agree with the suggestion for the present option to be more explicitly documented as "destructive", both in I'm just still curious about
What did that look like and how did that get there? |
See my post above. It was generated from |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look. |
My operating system is (include version):
FreeBSD 12.1-RELEASE-p3 GENERIC amd64
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
OS package manager (pkg)
Name : py37-certbot
Version : 1.0.0,1
I ran this command and it produced this output:
certbot renew --allow-subset-of-names --force-renewal
It created a cert for my domain as CN and my subdomains as SAN as expected, missing two SAN subdomains that were the reason for me using
--allow-subset-of-names
in the first place.After fixing the problems with the two subdomains, I re-ran with
certbot renew --force-renewal
upon which certbot only renewed the existing cert with CN and Subject Alternative Names from the current certificate, not with the SANs for the two subdomains that had now been fixed.Certbot's behavior differed from what I expected because:
I expected certbot to respect the configuration file for the domain and not choose what CN and SANs to renew based on the latest certificate. Running
certbot renew --force-renewal
seems to renew based on latest certificate's CN and SANs rather than use the configuration file to see what domains should be renewed for that certificate.Additional context
domain.org.conf
file/usr/local/etc/letsencrypt/live/domain.org/<files>
to an older certificate (cert1, fullchain1....) inarchive/domain.org
and re-running, which resulted inFound a new cert /archive/ that was not linked to in /live/; fixing...
I.e., certbot found a newer certificate (2, 3 and namely 4) and linkedlive/domain.org/<files>
to the errornous 4-version and the problem persisted.archive/domain.org/<files>
and re-linkinglive/domain.org/<files>
to theirarchive/domain.org/<files>
counterparts again and once again re-runningcertbot renew --force-renewal
, my certificate was now holding my previously missing SANs that had once failed renewal.allow_subset_of_names = True
was added to all my domains configuration files, it's quite possible changing this to false/removing the configuration entry would've fixed my issue much easier. If so, I'd expect much clearer output from certbot that it's omitting renewal of domains due to previous allow_subset_of_namesSteps to reproduce
certbot renew --allow-subset-of-names
certbot renew
The text was updated successfully, but these errors were encountered: