Auto-renew from cron (first attempt)

Help
1

My domain is:
Doesn’t matter, isn’t a public site

I ran this command:
certbot renew

It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing... Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert (domain) from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/domain/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/domain/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache 2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I have the below in a a cron job that runs every 80 days:
/usr/bin/certbot renew

this month was the first time I had to renew, and saw the cron output. I guess I am needing help with auth-hooks? Additionally, this is all just to sync iPhones to a local cal/cardav server, so none of this is public. Is there a better method or a way to actually non-interactively auto-renew? Thank you.

2

Hi @DigiAngel

it does matter. If you have a public visible website, you can use http-01 validation.

So it looks that you use dns-01 validation, but you don't have a dns provider with a supported API.

So you have to create the required txt entries manual -> that doesn't work with the non-interactive renew.

Check

and check, if you can switch to http-01 validation.

1 Like
3

Thank you…I tired dns validation and that was large fail…it did not appear to ever get propagated out (thanks godaddy :frowning: ). I could see the token in the panel, but every time I ran certbot it didn’t see it. I suspect that certbot gets cached dns information, which won’t have the new token. I even tried running certbot with dns, getting the token, pushing the token to dns with the command still open (ran it in screen :wink: ) and then hoped the token would propagate out…but the command timed out sadly :frowning:

So that being said in order to get this to work I had to open up a firewall to port 80 to initially get the cert, which I had to do this round as well via command line. So I can easily script the firewall to open port 80, renew the cert, and then close the firewall, but it looks like the token is unique every time? I’m just not sure how to do this automatically. Thanks again.

4

The solution is simple.

Open your firewall permanent.

5

The firewall part is easy…it’s the renew part I’m stuck with :wink: How do I renew non-interactively? Does a non-interactive renew require a token as well?

6

There you find the answer:

So please read the basics:

7

So here’s what I “think” will work. After apt get install python3-certbot-apache (which I didn’t have installed) I believe that this will work nicely:

<firewall open and redirect script>
/usr/bin/certbot renew --apache --webroot /var/www/html/ -n -d domain
<firewall clode and redirect script>

Sadly the provided Challenge types (which I’d reviewed several times), and the How It Works links don’t actually give instructions on HOW to actually do what I needed to do. This link however provided what I hope will work:

https://github.com/certbot/certbot/issues/3854

As a complete side note Juergen, I always find coming to forums interesting, especially open source ones. The category we’re in right now is Help. I usually see…roughly three types of folks in forums…those who have questions and need help…those who are helpers (actively giving examples, code snippets, screenshots, howto’s, etc…) and those who wish to teach (theory, overview, high level).

I suspect my post was view as “here’s another person who failed to read the documentation”…and maybe I missed something along the way, but if I take the trouble and time to register for a forum, chances are good I need help…not teaching.

Food for thought. Sadly this thread will auto-close after 30 days, so I’ll try and remember to post my results in a little less then three months. If only Apple had continued to support self-signed certs for CalDAV/CardDAV…sigh…oh well :slight_smile:

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.