diff --git a/certbot/certbot/_internal/cli/__init__.py b/certbot/certbot/_internal/cli/__init__.py index b36e87a1d..e0dadaaf8 100644 --- a/certbot/certbot/_internal/cli/__init__.py +++ b/certbot/certbot/_internal/cli/__init__.py @@ -149,16 +149,13 @@ def prepare_and_parse_args(plugins: plugins_disco.PluginsRegistry, args: List[st [None, "testing", "renew", "certonly"], "--dry-run", action="store_true", dest="dry_run", default=flag_default("dry_run"), - help="Perform a test run of the client, obtaining test (invalid) certificates" - " but not saving them to disk. This can currently only be used" - " with the 'certonly' and 'renew' subcommands. \nNote: Although --dry-run" - " tries to avoid making any persistent changes on a system, it " - " is not completely side-effect free: if used with webserver authenticator plugins" - " like apache and nginx, it makes and then reverts temporary config changes" - " in order to obtain test certificates, and reloads webservers to deploy and then" - " roll back those changes. It also calls --pre-hook and --post-hook commands" - " if they are defined because they may be necessary to accurately simulate" - " renewal. --deploy-hook commands are not called.") + help="Perform a test run against the Let's Encrypt staging server, obtaining test" + " (invalid) certificates but not saving them to disk. This can only be used with the" + " 'certonly' and 'renew' subcommands. It may trigger webserver reloads to " + " temporarily modify & roll back configuration files." + " --pre-hook and --post-hook commands run by default." + " --deploy-hook commands do not run, unless enabled by --run-deploy-hooks." + " The test server may be overridden with --server.") helpful.add( ["testing", "renew", "certonly", "reconfigure"], "--run-deploy-hooks", action="store_true", dest="run_deploy_hooks", @@ -270,8 +267,8 @@ def prepare_and_parse_args(plugins: plugins_disco.PluginsRegistry, args: List[st # overwrites server, handled in HelpfulArgumentParser.parse_args() helpful.add(["testing", "revoke", "run"], "--test-cert", "--staging", dest="staging", action="store_true", default=flag_default("staging"), - help="Use the staging server to obtain or revoke test (invalid) certificates; equivalent" - " to --server " + constants.STAGING_URI) + help="Use the Let's Encrypt staging server to obtain or revoke test (invalid) " + "certificates; equivalent to --server " + constants.STAGING_URI) helpful.add( "testing", "--debug", action="store_true", default=flag_default("debug"), help="Show tracebacks in case of errors") diff --git a/certbot/docs/using.rst b/certbot/docs/using.rst index ad562ef8f..760c378fd 100644 --- a/certbot/docs/using.rst +++ b/certbot/docs/using.rst @@ -1091,19 +1091,19 @@ ACME directory. For example, if you would like to use Let's Encrypt's staging server, you would add ``--server https://acme-staging-v02.api.letsencrypt.org/directory`` to the command line. +.. note:: ``--dry-run`` uses the Let's Encrypt staging server, unless ``--server`` + is specified on the CLI or in the :ref:`cli.ini configuration file `. + Take caution when using ``--dry-run`` with a custom server, as it may cause real + certificates to be issued and discarded. + If Certbot does not trust the SSL certificate used by the ACME server, you can use the `REQUESTS_CA_BUNDLE `_ environment variable to override the root certificates trusted by Certbot. Certbot uses the ``requests`` library, which does not use the operating system trusted root store. +Make sure that ``REQUESTS_CA_BUNDLE`` is set globally in the environment and not only on +the CLI, or scheduled renewal will not succeed. -If you use ``--server`` to specify an ACME CA that implements the standardized -version of the spec, you may be able to obtain a certificate for a -wildcard domain. Some CAs (such as Let's Encrypt) require that domain -validation for wildcard domains must be done through modifications to -DNS records which means that the dns-01_ challenge type must be used. To -see a list of Certbot plugins that support this challenge type and how -to use them, see plugins_. Lock Files ==========