Automate renewal for Let's Encrypt Certificate


#1

i have generated the Let’s Encrypt SSL certificate and applied for my AWS ELB with the manual method by authenticating TXT record. Now i am in the situation to renew the same certificate automatically by running cron job and it’s not working.
It is throwing below error.

My domain is:/betterplace.co.in

I ran this command:
sudo /opt/certbot/certbot-auto renew
It produced this output:
/etc/letsencrypt/live/betterplace.co.in/fullchain.pem expires on 2018-10-21 (skipped)
No renewals were attempted.

My web server is (include version):AWS ELB

The operating system my web server runs on is (include version):Centos 7

My hosting provider, if applicable, is:GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):yes


#2

Is your computer’s clock set to the proper time? What’s the output of date?

If your computer’s clock is right, could you post the full output from your renew command?


#3

Hi schoen,
Thanks for your response and the time is correct.
This is my cron job entry
43 19 * * * sudo /opt/certbot/certbot-auto renew --text >> /opt/certbot/certbot-cron.log

Below is the output of /opt/certbot/certbot-cron.log command.
Let's%20Encrypt%20output

Also i ran the below command and included the output
cat /etc/letsencrypt/renewal/betterplace.co.in.conf

renew_before_expiry = 30 days

version = 0.26.1
archive_dir = /etc/letsencrypt/archive/betterplace.co.in
cert = /etc/letsencrypt/live/betterplace.co.in/cert.pem
privkey = /etc/letsencrypt/live/betterplace.co.in/privkey.pem
chain = /etc/letsencrypt/live/betterplace.co.in/chain.pem
fullchain = /etc/letsencrypt/live/betterplace.co.in/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = 1155cda8f9bac50f06e31077f23273a8
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Please help me to automate this and that would be more helpful to me.


#4

For More clear information,
To: root@ip-10-0-3-145.ap-south-1.compute.internal
Subject: Cron root@ip-10-0-3-145 sudo /opt/certbot/certbot-auto renew --text >> /opt/certbot/certbot-cron.log
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=3926>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: 20181005072903.6BBF380EF44@ip-10-0-3-145.ap-south-1.compute.internal
Date: Fri, 5 Oct 2018 12:59:03 +0530 (IST)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (betterplace.co.in) from /etc/letsencrypt/renewal/betterplace.co.in.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/betterplace.co.in/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)


#5

This is correct. It looks like you obtained your certificate with --manual; since no user interaction is possible from cron, you need to find a way to script your certificate renewals so that they won’t require user interaction.

Why did you choose to use --manual originally and how did you complete the authentication steps requested by the CA?


#6

This is the first time i was generated the certificate via let’s encrypt and not aware of these kind of renewal problem will come in future.
Also the certificate which we are planning to deploy in multiple AWS application load balancers since only one ACM certificate is free.
i got the certificate by authenticating with my dns TXT record with my domain name(betterplace.co.in) and the record i got from my Godaddy domain control panel.
Please let me know what would be best way to automate this same renewal and changing the license type from --manual to different types.
Also kindly suggest me which method would be the suitable for renewing and permanently not getting the these kind of problems again.
This is my exact requirement when i was generated the certificate.
i need to have the Let’s Encrypt certificates which i am going to use for AWS ELB’s.


#7

Do you have access to an API that can be used to update your DNS records from software?


#8

Are you sure about that? My understanding is that all ACM managed certificates are free. The AWS free tier includes 750 hours of ELB per month for the first 12 months, which would cover one ELB but not two - but that’s true regardless of where you get the certificates from.


#9

i don’t want to use the --manual method for let’s encrypt certification since i am not able to automate the license renewal of the same certificate.
so my requirement is to create a Let’s Encrypt Certificate for my AWS ELB .what method would be the best for creating certificates for my AWS ELB’s with my domain names(*.betterplace.co.in) with the option of automating renewal? it’s a kind of wildcard certificates which i need to create here.


#10

Yes schoen i got the API key and secret key for my domain-Godaddy. Now how could i renew the wildcard certificates which i have created by --manual method?.


#11

Certbot doesn’t directly support GoDaddy’s DNS API. You could use one of the third-party Certbot methods that people have mentioned on the forum

https://community.letsencrypt.org/search?q=godaddy%20certbot%20dns

or use acme.sh instead of Certbot.

This is just meant to answer your question about automated renewal using GoDaddy’s DNS API, not to resolve the other question about AWS ELB (since I’m not familiar with the ELB certification options).


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.