A different certbot error on Debian 8

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kaba-server.net and others

I ran this command:
/snap/bin/certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/kaba-server.net.conf


Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (kaba-server.net) from /etc/letsencrypt/renewal/kaba-server.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Debian 8

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
/snap/bin/certbot --version
certbot 1.10.1

I know that Debian 8 is not officially supported. However, we need to get this working somehow. This is for a business which is losing money now because our sites are no longer working under https. We have a deadline and we do not have time to install a new OS or do any kind of major server reconfiguration.

What are our options?

Thank you very much.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

This error has absolutely nothing to do with your operating system. It means that manual authentication was used to acquire the previous certificate and no "hook" scripts were used to help automate the process. Thus, certbot renew cannot be used "non-interactively" (from a script) to renew the certificate.

From the certificate history for kaba-server.net, I can see that a wildcard certificate was previously acquired manually. I'll go ahead and give you the command to do so again. At least that will get your website up and running. Automation can be discussed later.

/snap/bin/certbot certonly --cert-name kaba-server.net --manual --preferred-challenges dns -d "kaba-server.net,*.kaba-server.net" --keep --deploy-hook "nginx -s reload"

3 Likes

Thank you very much! With your explanation, I now understand that originally doing a manual authentication will prevent the automated "renew" command from working. I have now manually renewed for the time being.

I am now investigating how to do these renewals in an automated fashion.

Any pointers to docs would be appreciated, although I'm sure I'll be able to figure this out for myself by digging deeper into the documentation.

2 Likes

Follow-up: I have not been able to find much documentation about how to create a manual auth hook. However, it seems that such a hook would have to do the following:
(1) Somehow capture the UID that certbot is requiring to go into an "_acme-challenge" TXT record.
(2) Set up the "_acme-challege" TXT record for the domain with this UID.

Is this correct? Or am I on the wrong track? If indeed I am correct about this, then it raises the following question:

I manage my own DNS via "djbdns" (specifically, with "tinydns"), and so I can easily perform step 2. But I'm not sure about step 1.

Could someone point me to an example manual auth script which at least does something similar, so I can see how to perform step 1 (i.e., so I can see how to capture the UID)?

Thank you very much.

2 Likes

Hello @HippoMan,

certbot will pass to your script the variables CERTBOT_DOMAIN containing the domain being authenticated and CERTBOT_VALIDATION containing validation string that you must use on the txt record to validate your domain.

Here is the doc with several examples https://certbot.eff.org/docs/using.html?highlight=certbot_validation#pre-and-post-validation-hooks

Cheers,
sahsanu

2 Likes

Thank you very much! I can now write my manual auth script.

FOLLOW-UP: ... and it works!

Thanks again to both of you!

4 Likes