Certbot renew dry run fails with error: Input the webroot for sub.mydomain.com:. Skipping

Solution 1:

If you are creating certificates with certbot, you can run as mentioned:

certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com

This automatically creates a config file in (Ubuntu 18.04LTS) "/etc/letsencrypt/renewal/dev.myapi.com.conf", that contains the details as specified on the command-line, and via any interactive prompts. In your case, as above, you should be prompted for the auth process; apache, webroot, standalone server etc. and if you select webroot, you should be prompted for the path. But if you aren't, then your config will be missing the webroot-path.

As such you should explicitly call certbot with --webroot AND --webroot-path [full path to DocumentRoot] (in this example "/var/www/html/mySite").

certbot certonly --cert-name dev.myapi.com --webroot --webroot-path "/var/www/html/mySite" -d dev.myapi.com,dashboard.myapi.com

If you don't do this, then the webroot-path field is not entered into the config file, and any attempt to renew will fail with the error you see.

You can manually add the path (in this example "/var/www/html/mySite") to your config file as follows, see the line "webroot_path =" under section [renewalparams]:

root:/etc/letsencrypt/renewal# cat dev.myapi.com.conf
# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/dev.myapi.com
cert = /etc/letsencrypt/live/dev.myapi.com/cert.pem
privkey = /etc/letsencrypt/live/dev.myapi.com/privkey.pem
chain = /etc/letsencrypt/live/dev.myapi.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.myapi.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ####
authenticator = webroot
webroot_path = /var/www/html/mySite,
server = https://acme-v02.api.letsencrypt.org/directory

Then test with:

certbot renew --cert-name dev.myapi.com --dry-run