# Letsencrypt failed to autorenew: Missing commandline flag

nomadicoder · August 30, 2020, 12:34am

This error occurred with each attempt to auto renew. I was able to renew manually after the certificate expired

2020-08-28 03:28:31,472:WARNING:certbot.renewal:Attempting to renew cert     (redacted.domain.name) from /etc/letsencrypt/renewal/redacted.domain.name.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for redacted.domain.name:. Skipping.
2020-08-28 03:28:31,496:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 81, in perform
    self._set_webroots(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 99, in _set_webroots
    known_webroots)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 120, in _prompt_for_webroot
    webroot = self._prompt_for_new_webroot(domain, True)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 144, in _prompt_for_new_webroot
    force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 372, in validated_directory
    validator, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 329, in _get_validated
    code, raw = method(message, default=default, **kwargs)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 583, in directory_select
    return self.input(message, default, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 524, in input
    self._interaction_fail(message, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Input the webroot for redacted.domain.name:

2
3 / 3
Letsencrypt failed to autorenew: Missing commandline flag

matt · November 29, 2020, 12:47pm

I went to investigate why my certificate had expired this morning and found what appears to be the same issue.

It seems to be due to a bug in version 0.31.0-1 of certbot found in buster.

From this letsencrypt forum thread :

When an ACME account has validated a name within the last 30 days, Let’s Encrypt allows it to issue certificates without validating the name again. (This is not a promise, and clients shouldn’t rely on it, but it’s how it normally works.)

It was fixed in Certbot 0.35.0.

Renewing will not normally break the configuration, because certificates are normally renewed approximately every 60 days, long after the authorizations would have expired, always forcing the names to be validated again.

It comes into play in other circumstances – adding a new subdomain not long after a certificate was renewed, maintaining multiple certificates with overlapping hostnames, or renewing unusually frequently.

I had reinstalled my freedombox and this seemed to have created an invalid configuration with an empty [[webroot_map]] section:

root@freedombox:~# cat /etc/letsencrypt/renewal/example.com 
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 37d8ffcdc7e4bb86f3d5eccf9b3716480
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

It seems there might be several ways to fix this - manual renewal on its own did not work for me. What did work was appending the above config with a line similar to:

example.com = /var/www/html

then running:
root@freedombox:~# certbot renew