All renewal attempts failed. The following certs could not be renewed:


#1

I had originally created my certificate using below command:
sudo certbot certonly --manual -d *.slackservices.com -d slackservices.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

My domain is: slackservices.com

I ran this command:
sudo certbot renew --pre-hook “sudo service nginx stop” --post-hook “sudo service nginx start”
&
sudo certbot renew --manual --preferred-challenges dns-01 --pre-hook “sudo service nginx stop” --post-hook “sudo service nginx start”

It produced this output:

Cert is due for renewal, auto-renewing…

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)

Attempting to renew cert (slackservices.com) from /etc/letsencrypt/renewal/slackservices.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/slackservices.com/fullchain.pem (failure)

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Linux/Ubuntu

My hosting provider, if applicable, is:
Route 53

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1


#2

Hi @csanghvi

if you use --manual, you can’t use renew without a replacement of your manual action.

So use your first command again.

PS: Wildcard certificates require dns-01-validation and version 2 of the api. So you can remove these parameters.

sudo certbot certonly --manual -d *.slackservices.com -d slackservices.com

should work.


#3

This is awesome. It got me forward. However, as part of the challenge, its asking me to create a file and make it available on:
http://slackservices.com/.well-known/acme-challenge/DX16oybQNLBJz9tSCF35gTNMquU9Ad5fpED2r_kCwEc

I am using nginx, and would you know what the nginx.conf entry would be to ensure this file is available on port 80 on the specific path? Help here will be tremendous. You have already helped me answer my original question. Thanks for that.


#4

No, that’s wrong. Wildcard certificates require dns-01 - validation. Perhaps there is a missing *


#6

PS: Oh, wait, perhaps Certbot has a new feature.

My own client (not published) is able to create a wildcard certificate with dns-01 validiation * and http-01 validation with the server-daten.de main domain.

I wrote that earlier in this forum.

Perhaps Certbot has now such a feature.


#7

Be sure to wrap the wildcard domain parameter in quotes (that can problems):
Like either:
-d '*.domain.com' -d domain.com
-d "*.domain.com" -d domain.com


#8

So this is expected then? & If so, what would you advice?

@rg305 even if i use quotes, it is still asking me to do a file validation on a static path. Is that expected?


#9

It seems “new” (to me) that certbot is trying to validate wildcards over HTTP-01 auth.
But in general, yes; You must provide the proper authentication response to get the cert.


#10

This makes no sense to me…


#11

No, my idea is different. I use *.server-daten.de + server-daten.de. *.server-daten.de requires dns-01 validation. But to validate server-daten.de it’s possible to use every challenge you want to use.

So I use dns-01 validation with a single _acme-challenge.server-daten.de value and http-01 validation with server-daten.de.

But I don’t know if Certbot has implemented such a split. Last information - no.


#12

And the client is use is old - not new.

Please show:
certbot certificates


#13

@JuergenAuer and @rg305 If you’re not advising to change plugins, please just advice @csanghvi to run his original command with the whole --prefered-challenges dns-01 et cetera. You’re making it unnecessary complicated.

@csanghvi In the Ubuntu PPA for certbot, there’s also a DNS plugin called python-certbot-dns-route53. See https://launchpad.net/~certbot/+archive/ubuntu/certbot

I would recommend using that plugin, so you don’t have to use the manual plugin and you can actual renew automatically.

See the documentation for more info: https://certbot-dns-route53.readthedocs.io/en/stable/


#14

By the way, the current version of Certbot in the PPA is 0.28.0. It doesn’t affect this, but you should run an apt upgrade (or possibly full-upgrade).


closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.