Giters

certbot / certbot

Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

certbot renew help documentation for no-autorenew option appears to be wrong?

elmaimbo opened this issue · comments

commented

My operating system is (include version):

Ubuntu Server 22.04

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

snap

I ran this command and it produced this output:

# certbot --help renew
usage: 

  certbot renew [--cert-name CERTNAME] [options]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)

renew:
  The 'renew' subcommand will attempt to renew any certificates previously obtained if they are close to expiry, and print a
  summary of the results. By default, 'renew' will reuse the plugins and options used to obtain or most recently renew each
  certificate. You can test whether future renewals will succeed with `--dry-run`. Individual certificates can be renewed
  with the `--cert-name` option. Hooks are available to run commands before and after renewal; see
  https://certbot.eff.org/docs/using.html#renewal for more information on these.

  --cert-name CERTNAME  Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't
                        affect the content of the certificate itself. To see certificate names, run 'certbot certificates'.
                        When creating a new certificate, specifies the new certificate's name. (default: the first provided
                        domain or the name of an existing certificate on your system for the same domains)
  --dry-run             Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk.
                        This can currently only be used with the 'certonly' and 'renew' subcommands. Note: Although --dry-run
                        tries to avoid making any persistent changes on a system, it is not completely side-effect free: if
                        used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary
                        config changes in order to obtain test certificates, and reloads webservers to deploy and then roll
                        back those changes. It also calls --pre-hook and --post-hook commands if they are defined because they
                        may be necessary to accurately simulate renewal. --deploy-hook commands are not called. (default:
                        False)
  --force-renewal, --renew-by-default
                        If a certificate already exists for the requested domains, renew it now, regardless of whether it is
                        near expiry. (Often --keep-until-expiring is more appropriate). Also implies --expand. (default: False)
  --allow-subset-of-names
                        When performing domain validation, do not consider it a failure if authorizations can not be obtained
                        for a strict subset of the requested domains. This may be useful for allowing renewals for multiple
                        domains to succeed even if some domains no longer point at this system. This option cannot be used with
                        --csr. (default: False)
  -q, --quiet           Silence all output except errors. Useful for automation via cron. Implies --non-interactive. (default:
                        False)
  --preferred-chain PREFERRED_CHAIN
                        Set the preferred certificate chain. If the CA offers multiple certificate chains, prefer the chain
                        whose topmost certificate was issued from this Subject Common Name. If no match, the default offered
                        chain will be used. (default: None)
  --preferred-challenges PREF_CHALLS
                        A sorted, comma delimited list of the preferred challenge to use during authorization with the most
                        preferred challenge listed first (Eg, "dns" or "http,dns"). Not all plugins support all challenges. See
                        https://certbot.eff.org/docs/using.html#plugins for details. ACME Challenges are versioned, but if you
                        pick "http" rather than "http-01", Certbot will select the latest version automatically. (default: [])
  --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any certificates. Intended primarily for renewal, where
                        it can be used to temporarily shut down a webserver that might conflict with the standalone plugin.
                        This will only be called if a certificate is actually to be obtained/renewed. When renewing several
                        certificates that have identical pre-hooks, only the first will be executed. (default: None)
  --post-hook POST_HOOK
                        Command to be run in a shell after attempting to obtain/renew certificates. Can be used to deploy
                        renewed certificates, or to restart any servers that were stopped by --pre-hook. This is only run if an
                        attempt was made to obtain/renew a certificate. If multiple renewed certificates have identical post-
                        hooks, only one will be run. (default: None)
  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each successfully issued certificate. For this command, the shell
                        variable $RENEWED_LINEAGE will point to the config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list of renewed certificate domains (for example,
                        "example.com www.example.com") (default: None)
  --disable-hook-validation
                        Ordinarily the commands specified for --pre-hook/--post-hook/--deploy-hook will be checked for
                        validity, to see if the programs being run are in the $PATH, so that mistakes can be caught early, even
                        when the hooks aren't being run just yet. The validation is rather simplistic and fails if you use more
                        advanced shell constructs, so you can use this switch to disable it. (default: False)
  --no-directory-hooks  Disable running executables found in Certbot's hook directories during renewal. (default: False)
  --disable-renew-updates
                        Disable automatic updates to your server configuration that would otherwise be done by the selected
                        installer plugin, and triggered when the user executes "certbot renew", regardless of if the
                        certificate is renewed. This setting does not apply to important TLS configuration updates. (default:
                        False)
  --no-autorenew        Disable auto renewal of certificates. (default: True)

Certbot's behavior differed from what I expected because:

The last line of the help output says:

--no-autorenew        Disable auto renewal of certificates. (default: True)

This seems to be saying that automatic renewal is disabled by default. However everything I've read online indicates that certificates are automatically renewed without having to set any special options. And searching for "no-autorenew" on github seems to indicate that the option doesn't actually exist?

So I suspect this documentation is wrong? Should it say:

--autorenew        Enable auto renewal of certificates. (default: True)

i.e. "no-autorenew" becomes "autorenew" and "Disable" becomes "Enable" in the documentation output?