Account gone? / issues renewing

Hello letsencryptors,

Thank you for that cool service!!

Two questions for those who know…:

  1. I had an account to this forum registered since early 2018. It was gone when I tried to login today. Is there a timeout to delete unused accounts?

  2. I have trouble renewing a certificate:
    There are several certificates on my server (Debian Buster with apache as reverse proxy for ~8 domains, certbot 0.31). Most of them are non-wildcard-domains with standalone authentication but one is a wildcard with dns authentication. I was creating that last one 2 months ago with

certbot certonly --manual --preferred-challenges=dns --email webmaster@mydomain.de -d *.mydomain.de -d mydomain.de --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”

I added the txt-record to the dns and everything works fine.

Now that this certificate needs renewing, I got an error in /var/log/letsencrypt/letsencrypt.log:

certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’)

The conf-file /etc/letsencrypt/renew/mydomain.conf looks like:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mydomain.de
cert = /etc/letsencrypt/live/mydomain.de/cert.pem
privkey = /etc/letsencrypt/live/mydomain.de/privkey.pem
chain = /etc/letsencrypt/live/mydomain.de/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account = fbe9c2c81ff2cbeea29f4ac45dd43b55
pref_challs = dns-01,
pre_hook = systemctl stop apache2
post_hook = systemctl start apache2
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

So everything seems just OK. Where is the mistake? Easiest thing for me to do would be editing the conf-file…

Thanks,

B.

1 Like

Hi,

Certbot’s manual plugin is purely manual, which means without a script to automate the process (adding txt records, placing files in webserver), the renewal can’t happen.
This is also true in your case.

There are two ways of how manual renewal is going to work:

  1. You can request a new certificate with the exact same sequence of the existing one, and use manual process again.
  2. You can try to see if your DNS provider has API support for updating/adding DNS records, which you might be able to find a script on GitHub or other places that works with certbot manual mode. (If you supply the script and it’s working as intended, certbot will renew automatically without issue)
2 Likes

Hello stevenzhu,
hello letsencyptors,

thanks for your explanation.
Mayby I didn’t tell how I wanted it to work. I was hoping to have that (all) certificates renewed automatically by that ‘certbot renew’-Script in cron.d or crontab! This should be possible without changing any DNS entries.

I was hoping to get that working by changing the line
authenticator = manual
into
authenticator = standalone
in /etc/letsencrypt/renewal/mydomain.de.conf
but I get
Attempting to renew cert (mydomain.de) from /etc/letsencrypt/renewal/mydomain.de.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
Also, there is another WebServer working in the way I want it to, with
authenticator = manual
in every conf file.

regards,

B.

1 Like

This is not possible if you don’t want to change any DNS entries.

Let’s Encrypt, like most other CAs, are requiring you to use a random token to complete challenge (regardless of HTTP or DNS). This token changes everytime you try to renew your certificate (or request a new one). Since Let’s Encrypt only allow you to obtain wildcard certificate with TXT record verification.

Do you remember when you first request a certificate with manual, you need to actually do things with your hands? How does that supposed to happen with automated renewals? If you don’t have a script to handle these things automatically, you can’t use manual mode to renew certificate (because it just doesn’t work).

1 Like

Hej all,

Thanks again stevenzhu for caring about my thing!

I was wrong thinking that my second server works like I thought it would.

It took me some days to get deeper into it. At the end I found, that there doesn’t seem to be to have a wildcard certificate automated renewed if the DNS is different from those that are listed in the FAQs or have an API. Is that right?

Boris

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.