An authentication script must be provided with --manual-auth-hook


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=relationmonitor.dk), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I used this command, when generated certificates for 2 server for same domain name

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'relationmonitor.dk,*.relationmonitor.dk'

My domain is: relationmonitor.dk

I ran this command: sudo certbot renew --manual

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/relationmonitor.dk.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (relationmonitor.dk) from /etc/letsencrypt/renewal/relationmonitor.dk.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: CloudVPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @danyal14

renew is a non-interactive command. So you can’t use --manual.

So use

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'relationmonitor.dk,*.relationmonitor.dk'

But you want a wildcard certificate, so you must use dns and the v02 -> so this command

certbot certonly --manual -d 'relationmonitor.dk,*.relationmonitor.dk'

should do the same.


#3

Hi @JuergenAuer,

Thanks for the reply, I tried and got following output. Looks like it didn’t renew.

certbot certonly --manual -d 'relationmonitor.dk,*.relationmonitor.dk'

sudo certbot certonly --manual -d ‘relationmonitor.dk,*.relationmonitor.dk’
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.


#4

You should update your certbot, if it uses v01 as standard. Or add the --server argument. But better - update your certbot.


#5

Thanks, it works with --server argument, I will update the certbot too thnaks:)


#6

@JuergenAuer

Certbot ask twice to add different kys with same DNS TXT record and when i added it.
Authentication fails because it finds only first key in order.

Do you know, if i can add both record with same TXT entry _acme-challenge.relationmonitor.dk?


#7

If you have two domain names

you have to add two entries with the same name

_acme-challenge.relationmonitor.dk

and different values. Letsencrypt checks all values.

This

D:\temp>nslookup -type=txt _acme-challenge.relationmonitor.dk.

_acme-challenge.relationmonitor.dk      text =

        "j-Se0xBqqRtNrkXcmqWx99H0vLUf72-esM-WVTEtSqs"

_acme-challenge.relationmonitor.dk      text =

        "vrpWj5DzWHLVL1HgVjEN4UNue4J1qMevRgjhIwewokc"

looks good.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.