bc1bb/certbotManager
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

certbot --dry-run checkbox in New Cert UI has no effect; real certificates are issued #1

New issue
Open
opened 2026-05-14 21:19:25 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:19:25 +02:00
Copy link

Problem

In _issue_certificate(), the code builds argv_extra and appends "--dry-run" when the UI checkbox is checked, but argv_extra is never passed to issue_webroot(). The issue_webroot() method has no parameter to accept extra argv, and the CertbotRunner only honours its self.dry_run flag (set from the app-level --dry-run CLI flag, not the UI checkbox). As a result, the UI checkbox labelled "certbot --dry-run (no quota cost)" is silently ignored.

Location

src/certbot_manager/tui/app.py, lines 304–328

argv_extra: list[str] = []
if request.certbot_dry_run:
    # comment says it will be injected — but argv_extra is never used
    argv_extra.append("--dry-run")
try:
    result = self.certbot.issue_webroot(   # <-- argv_extra not passed
        request.domains,
        webroot=request.webroot,
        ...
    )

Risk

A user checking the checkbox to rehearse issuance (e.g. to verify domain ownership or quota budget) actually triggers a real certbot certonly run. This:

  • Consumes one of Let's Encrypt's rate-limited issuances for that domain
  • Creates a live certificate the user did not intend to create
  • Provides no feedback that the dry-run flag was dropped

Suggested fix direction

Add a dry_run: bool = False parameter to CertbotRunner.issue_webroot() and conditionally append "--dry-run" to the argv inside that method before calling self._run(). Then thread request.certbot_dry_run through the call site. Alternatively, construct a temporary CertbotRunner(dry_run=True) for the duration of the call.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem In `_issue_certificate()`, the code builds `argv_extra` and appends `"--dry-run"` when the UI checkbox is checked, but `argv_extra` is **never passed** to `issue_webroot()`. The `issue_webroot()` method has no parameter to accept extra argv, and the `CertbotRunner` only honours its `self.dry_run` flag (set from the app-level `--dry-run` CLI flag, not the UI checkbox). As a result, the UI checkbox labelled *"certbot --dry-run (no quota cost)"* is silently ignored. ## Location `src/certbot_manager/tui/app.py`, lines 304–328 ```python argv_extra: list[str] = [] if request.certbot_dry_run: # comment says it will be injected — but argv_extra is never used argv_extra.append("--dry-run") try: result = self.certbot.issue_webroot( # <-- argv_extra not passed request.domains, webroot=request.webroot, ... ) ``` ## Risk A user checking the checkbox to rehearse issuance (e.g. to verify domain ownership or quota budget) actually triggers a real `certbot certonly` run. This: - Consumes one of Let's Encrypt's rate-limited issuances for that domain - Creates a live certificate the user did not intend to create - Provides no feedback that the dry-run flag was dropped ## Suggested fix direction Add a `dry_run: bool = False` parameter to `CertbotRunner.issue_webroot()` and conditionally append `"--dry-run"` to the argv inside that method before calling `self._run()`. Then thread `request.certbot_dry_run` through the call site. Alternatively, construct a temporary `CertbotRunner(dry_run=True)` for the duration of the call. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/certbotManager#1
No description provided.