I have a Debian 10 instance running which hosts my Node.js/Express API. I have been using a different subdomain during development and added another subdomain as I'm nearing production. The first domain was dev.myapi.com
and I added another subdomain dashboard.myapi.com
with certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com
. After that, I ran certbot renew --dry-run
and I'm getting following error:
Processing /etc/letsencrypt/renewal/dev.myapi.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dashboard.myapi.com
http-01 challenge for dev.myapi.com
Cleaning up challenges
Attempting to renew cert (dev.myapi.com) from /etc/letsencrypt/renewal/dev.myapi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dashboard.myapi.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/reloadService.sh
1 renew failure(s), 0 parse failure(s)
How to provide the webroot for the new subdomain? The root directory of my project is the same. I.e, I'm running only one project with 2 subdomains pointing to the same.
Best Answer
If you are creating certificates with certbot, you can run as mentioned:
This automatically creates a config file in (Ubuntu 18.04LTS) "/etc/letsencrypt/renewal/dev.myapi.com.conf", that contains the details as specified on the command-line, and via any interactive prompts. In your case, as above, you should be prompted for the auth process; apache, webroot, standalone server etc. and if you select webroot, you should be prompted for the path. But if you aren't, then your config will be missing the webroot-path.
As such you should explicitly call certbot with --webroot AND --webroot-path [full path to DocumentRoot] (in this example "/var/www/html/mySite").
If you don't do this, then the webroot-path field is not entered into the config file, and any attempt to renew will fail with the error you see.
You can manually add the path (in this example "/var/www/html/mySite") to your config file as follows, see the line "webroot_path =" under section [renewalparams]:
Then test with: