Autorenew domain on GoDaddy (no CPanel)

Help
1

Hi,
I generated 3 certificates for my test sistes in this way:

certbot certonly --manual --preferred-challenge=dns --email emailadmin@mydomain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d mydomain.com -d site1.mydomain.com -d site2.mydomain.com -d site3.mydomain.com

I manually created the three TXT record on DNS (the DNS is managed by GoDaddy)
The three certificates works correctly.

Now I need to update them, but, when I run this command I received an error:
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OCSP check failed for /etc/letsencrypt/archive/mydomain.com/cert1.pem (are we offline?)
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

this is my renewal config file: vim /etc/letsencrypt/renewal/mydomain.com.conf

# renew_before_expiry = 30 days
version = 1.7.0
vim /etc/letsencrypt/renewal/mydomain.com.conf
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = f......................................................7
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_public_ip_logging_ok = True

How can I resolve my problem?
Thanks for the support.
Marco

2

Welcome to the Let's Encrypt Community, Marco :slightly_smiling_face:

The renew function of certbot is automated/non-interactive by default and thus requires scripts to update/cleanup the TXT records.

Try using the following command instead of certbot renew:
certbot certonly --cert-name mydomain.com --manual --preferred-challenges dns -d "mydomain.com,site1.mydomain.com,site2.mydomain.com,site3.mydomain.com" --keep

3

Also be aware that every time certbot runs it will generate a new set of TXT records that must replace any previous ones (and DNS must synchronize) before a successful completion can be achieved.

4

Hi Griffin,
thank you so much for your reply.

If I understood, I can't automatize the renew because for the DNS managed by GoDaddy is not possible to generate automatically the TXT?

Can I use another way to automate it?

5

Hi,
thank you for your reply.
Can I use another way to automate it (use another sciprt/tool)

6

If your DNS service provider supports updates via API, there are plenty of ACME clients that can be automated to do so.

7

Hi, thanks.
I'm not sure but I think no.
My DNS service is GoDaddy (www.godaddy.com)
If doesn't it support API, how can automate renew?
Is it possible, too?

8

If your renewal is via DNS authentication, and your DNS service provider doesn't support updates via API, then you can't automate using that method.
You would have to change DNS service providers OR switch authentication method.
But if you are requesting a wildcard cert, then you can't switch authentication method; as that requires DNS authentication.

9

How many renew methods are there?

10

Three: DNS, HTTP, TLS-ALPN

11

Hi, thanks a lot.
Do you have a link for these three methods, please?

12

You should start here with these:


You can also review available documentation here:

But to specifically answer that one question, read this:
https://letsencrypt.org/docs/challenge-types/

13

Thanks a lot for your support

14

Are you using a wildcard (*.) domain name in your certificate?

15

No I'm not using a wildcare certificare, but only single certificate (es: site1.mydomain.com)

16

Then if you can use HTTP authentication, it should make the automation much easier.

17

Hi @rg305
thank you for your reply.
Do you have any example, please?

Thanks Marco

18

If you have a web server use certbot with:
--preferred-challenge=http
--webroot -w /path/to/your/document/root

OR

If you don't have a web server use certbot with:
--standalone