Autorenew domain on GoDaddy (no CPanel)

Hi,
I generated 3 certificates for my test sistes in this way:

certbot certonly --manual --preferred-challenge=dns --email emailadmin@mydomain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d mydomain.com -d site1.mydomain.com -d site2.mydomain.com -d site3.mydomain.com

I manually created the three TXT record on DNS (the DNS is managed by GoDaddy)
The three certificates works correctly.

Now I need to update them, but, when I run this command I received an error:
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OCSP check failed for /etc/letsencrypt/archive/mydomain.com/cert1.pem (are we offline?)
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

this is my renewal config file: vim /etc/letsencrypt/renewal/mydomain.com.conf

# renew_before_expiry = 30 days
version = 1.7.0
vim /etc/letsencrypt/renewal/mydomain.com.conf
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = f......................................................7
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_public_ip_logging_ok = True

How can I resolve my problem?
Thanks for the support.
Marco

2 Likes

Welcome to the Let's Encrypt Community, Marco :slightly_smiling_face:

The renew function of certbot is automated/non-interactive by default and thus requires scripts to update/cleanup the TXT records.

Try using the following command instead of certbot renew:
certbot certonly --cert-name mydomain.com --manual --preferred-challenges dns -d "mydomain.com,site1.mydomain.com,site2.mydomain.com,site3.mydomain.com" --keep

2 Likes

Also be aware that every time certbot runs it will generate a new set of TXT records that must replace any previous ones (and DNS must synchronize) before a successful completion can be achieved.

1 Like

Hi Griffin,
thank you so much for your reply.

If I understood, I can't automatize the renew because for the DNS managed by GoDaddy is not possible to generate automatically the TXT?

Can I use another way to automate it?

1 Like

Hi,
thank you for your reply.
Can I use another way to automate it (use another sciprt/tool)

1 Like

If your DNS service provider supports updates via API, there are plenty of ACME clients that can be automated to do so.

1 Like

Hi, thanks.
I'm not sure but I think no.
My DNS service is GoDaddy (www.godaddy.com)
If doesn't it support API, how can automate renew?
Is it possible, too?

1 Like

If your renewal is via DNS authentication, and your DNS service provider doesn't support updates via API, then you can't automate using that method.
You would have to change DNS service providers OR switch authentication method.
But if you are requesting a wildcard cert, then you can't switch authentication method; as that requires DNS authentication.

1 Like

How many renew methods are there?

1 Like

Three: DNS, HTTP, TLS-ALPN

1 Like

Hi, thanks a lot.
Do you have a link for these three methods, please?

1 Like

You should start here with these:


You can also review available documentation here:

But to specifically answer that one question, read this:
https://letsencrypt.org/docs/challenge-types/

1 Like

Thanks a lot for your support

2 Likes

Are you using a wildcard (*.) domain name in your certificate?

1 Like

No I'm not using a wildcare certificare, but only single certificate (es: site1.mydomain.com)

1 Like

Then if you can use HTTP authentication, it should make the automation much easier.

1 Like