certbot renew help documentation for no-autorenew option appears to be wrong?
elmaimbo opened this issue · comments
My operating system is (include version):
Ubuntu Server 22.04
I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
snap
I ran this command and it produced this output:
# certbot --help renew
usage:
certbot renew [--cert-name CERTNAME] [options]
optional arguments:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)
renew:
The 'renew' subcommand will attempt to renew any certificates previously obtained if they are close to expiry, and print a
summary of the results. By default, 'renew' will reuse the plugins and options used to obtain or most recently renew each
certificate. You can test whether future renewals will succeed with `--dry-run`. Individual certificates can be renewed
with the `--cert-name` option. Hooks are available to run commands before and after renewal; see
https://certbot.eff.org/docs/using.html#renewal for more information on these.
--cert-name CERTNAME Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't
affect the content of the certificate itself. To see certificate names, run 'certbot certificates'.
When creating a new certificate, specifies the new certificate's name. (default: the first provided
domain or the name of an existing certificate on your system for the same domains)
--dry-run Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk.
This can currently only be used with the 'certonly' and 'renew' subcommands. Note: Although --dry-run
tries to avoid making any persistent changes on a system, it is not completely side-effect free: if
used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary
config changes in order to obtain test certificates, and reloads webservers to deploy and then roll
back those changes. It also calls --pre-hook and --post-hook commands if they are defined because they
may be necessary to accurately simulate renewal. --deploy-hook commands are not called. (default:
False)
--force-renewal, --renew-by-default
If a certificate already exists for the requested domains, renew it now, regardless of whether it is
near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand. (default: False)
--allow-subset-of-names
When performing domain validation, do not consider it a failure if authorizations can not be obtained
for a strict subset of the requested domains. This may be useful for allowing renewals for multiple
domains to succeed even if some domains no longer point at this system. This option cannot be used with
--csr. (default: False)
-q, --quiet Silence all output except errors. Useful for automation via cron. Implies --non-interactive. (default:
False)
--preferred-chain PREFERRED_CHAIN
Set the preferred certificate chain. If the CA offers multiple certificate chains, prefer the chain
whose topmost certificate was issued from this Subject Common Name. If no match, the default offered
chain will be used. (default: None)
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred challenge to use during authorization with the most
preferred challenge listed first (Eg, "dns" or "http,dns"). Not all plugins support all challenges. See
https://certbot.eff.org/docs/using.html#plugins for details. ACME Challenges are versioned, but if you
pick "http" rather than "http-01", Certbot will select the latest version automatically. (default: [])
--pre-hook PRE_HOOK Command to be run in a shell before obtaining any certificates. Intended primarily for renewal, where
it can be used to temporarily shut down a webserver that might conflict with the standalone plugin.
This will only be called if a certificate is actually to be obtained/renewed. When renewing several
certificates that have identical pre-hooks, only the first will be executed. (default: None)
--post-hook POST_HOOK
Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If multiple renewed certificates have identical post-
hooks, only one will be run. (default: None)
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each successfully issued certificate. For this command, the shell
variable $RENEWED_LINEAGE will point to the config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example,
"example.com www.example.com") (default: None)
--disable-hook-validation
Ordinarily the commands specified for --pre-hook/--post-hook/--deploy-hook will be checked for
validity, to see if the programs being run are in the $PATH, so that mistakes can be caught early, even
when the hooks aren't being run just yet. The validation is rather simplistic and fails if you use more
advanced shell constructs, so you can use this switch to disable it. (default: False)
--no-directory-hooks Disable running executables found in Certbot's hook directories during renewal. (default: False)
--disable-renew-updates
Disable automatic updates to your server configuration that would otherwise be done by the selected
installer plugin, and triggered when the user executes "certbot renew", regardless of if the
certificate is renewed. This setting does not apply to important TLS configuration updates. (default:
False)
--no-autorenew Disable auto renewal of certificates. (default: True)
Certbot's behavior differed from what I expected because:
The last line of the help output says:
--no-autorenew Disable auto renewal of certificates. (default: True)
This seems to be saying that automatic renewal is disabled by default. However everything I've read online indicates that certificates are automatically renewed without having to set any special options. And searching for "no-autorenew" on github seems to indicate that the option doesn't actually exist?
So I suspect this documentation is wrong? Should it say:
--autorenew Enable auto renewal of certificates. (default: True)
i.e. "no-autorenew" becomes "autorenew" and "Disable" becomes "Enable" in the documentation output?