I had an account to this forum registered since early 2018. It was gone when I tried to login today. Is there a timeout to delete unused accounts?
I have trouble renewing a certificate:
There are several certificates on my server (Debian Buster with apache as reverse proxy for ~8 domains, certbot 0.31). Most of them are non-wildcard-domains with standalone authentication but one is a wildcard with dns authentication. I was creating that last one 2 months ago with
I added the txt-record to the dns and everything works fine.
Now that this certificate needs renewing, I got an error in /var/log/letsencrypt/letsencrypt.log:
certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)
The conf-file /etc/letsencrypt/renew/mydomain.conf looks like:
Certbot’s manual plugin is purely manual, which means without a script to automate the process (adding txt records, placing files in webserver), the renewal can’t happen.
This is also true in your case.
There are two ways of how manual renewal is going to work:
You can request a new certificate with the exact same sequence of the existing one, and use manual process again.
You can try to see if your DNS provider has API support for updating/adding DNS records, which you might be able to find a script on GitHub or other places that works with certbot manual mode. (If you supply the script and it’s working as intended, certbot will renew automatically without issue)
thanks for your explanation.
Mayby I didn’t tell how I wanted it to work. I was hoping to have that (all) certificates renewed automatically by that ‘certbot renew’-Script in cron.d or crontab! This should be possible without changing any DNS entries.
I was hoping to get that working by changing the line
authenticator = manual
into
authenticator = standalone
in /etc/letsencrypt/renewal/mydomain.de.conf
but I get
Attempting to renew cert (mydomain.de) from /etc/letsencrypt/renewal/mydomain.de.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
Also, there is another WebServer working in the way I want it to, with
authenticator = manual
in every conf file.
This is not possible if you don't want to change any DNS entries.
Let's Encrypt, like most other CAs, are requiring you to use a random token to complete challenge (regardless of HTTP or DNS). This token changes everytime you try to renew your certificate (or request a new one). Since Let's Encrypt only allow you to obtain wildcard certificate with TXT record verification.
Do you remember when you first request a certificate with manual, you need to actually do things with your hands? How does that supposed to happen with automated renewals? If you don't have a script to handle these things automatically, you can't use manual mode to renew certificate (because it just doesn't work).
I was wrong thinking that my second server works like I thought it would.
It took me some days to get deeper into it. At the end I found, that there doesn’t seem to be to have a wildcard certificate automated renewed if the DNS is different from those that are listed in the FAQs or have an API. Is that right?