Autorenewal of --manual certificates (dns-challenge)

I run the following command for a lets encrypt certificat:
sudo certbot -d sub-domain.com --manual --preferred-challenges dns certonly

The dns-challenge is essential in order to receive the certificate. After setting up everything (txt record, etc), it seems to work but i'll get this message:

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

I googled around but couldn't find an answer how to solve this. How kann i achieve autorenewal for this certificate? I mean sure, i can use --manual-auth-hook but what parameter/script should i enter afterwards?

The difficulty with --manual and manually editing DNS records, is that Certbot needs to be able to perform that same task automatically.

You need an authentication script which will automatically do the equivalent steps of logging into your DNS provider and adding the required TXT records, at every renewal.

How to do that largely depends on who your DNS provider is and how easy they make that process. See also: DNS providers who easily integrate with Let's Encrypt DNS validation.

Here are some things to consider:

  • Do you really need to use DNS validation? Sometimes, the answer is yes. But it's worth thinking about whether a simpler way to get a Let's Encrypt certificate.
  • If you are using DNS validation because you want a wildcard certificate, reconsider whether a non-wildcard certificate with multiple names on it would also work. They are much simpler to obtain.
  • Can you move to a DNS host for which an integration already exists in an ACME client, like Certbot or acme.sh or lego or something else?
2 Likes

The webserver is hosted behind a firewall and is only reachable with a specific ip address. So i guess, i need the dns challenge. What do you think?
I don't want or need a wild certificate. The certificate is for sub.domain.com and not *.domain.com or similar. My DNS provider is AWS (route 53).

It's weird, i remember doing the same for another services on my side. Again, dns host was route 53 and the webserver was behind a vpn. I did the same step with dns-challenge and i didn't get this autorenewal warning message.

You can use the DNS challenge for non-wildcard certificates as well as wildcards.

It works the same way. You just don't add the wildcard domain to the request.

But you need to use the route53 plugin instead of --manual

2 Likes

I added this warning message to Certbot relatively recently (1.16, June 2020), because users keep stumbling upon this --manual autorenewal confusion, but only when their certificate was expired. It's possible you were using an older version of Certbot before.

So, this is convenient. You can use certbot-dns-route53 and everything will be automated.

If you installed Certbot using snap or pip, it will be simple to install the plugin. Not sure what distro you are using.

3 Likes

I am using ubuntu 20.04, i also already installed
pip install certbot_dns_route53

Should this be finde or what would be the next step?
sudo certbot certonly --dns-route53 -d 'sub.domain.com'

Actually, I'm not sure about that: if I ask for www.example.com, on what label do I validate?

_acme-challenge.example.com

or

_acme-challenge.www.example.com

?

Did you install Certbot using apt, pip, or snap? How you should install the plugin will vary based on that.

You will first need to give your server either an IAM Role, or set up credentials, to give Certbot access to the Route53 APIs required. See the documentation.

1 Like

I installed certbot like this sudo apt install -y Python-certbot-apache.

But before i setup the credentials/api stuff in route 53, another question: Is it possible to change the renewal time from 3 months to 12 months somehow with the command i used to create a certificate?

Let's Encrypt only offers certificates with a validity of 90 days. Other (free) CAs might offer other validities though.

Then you should also install the certbot-dns-route53 plugin using apt.

4 Likes

Right. On Ubuntu, this would be:

sudo apt install python3-certbot-dns-route53
2 Likes

Ok, but somehow the route 53 is a bit confusing.

* Using the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
* Using a credentials configuration file at the default location, `~/.aws/config` .
* Using a credentials configuration file at a path supplied using the `AWS_CONFIG_FILE` environment variable.

Example credentials config file:[¶](https://certbot-dns-route53.readthedocs.io/en/stable/index.html#config-ini)

[default] 
aws_access_key_id=AKIAIOSFODNN7EXAMPLE 
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

I installed sudo apt install python3-certbot-dns-route53 and created in route 53 my api keys. But what next? There is no ~/.aws/config, do i have to create this by myself with the given content and after that run

certbot certonly \
  --dns-route53 \
  -d sub.domain.com

?

That's one of the three options. You can choose either one of the three options provided in the documentation.

Using a configuration file is probably the easiest way with regard to cronjobs or systemd timers. Note that it should be in the home directory of the user running Certbot, i.e., root (usually).

1 Like
user@webserver:/var/www/webserver$ sudo certbot certonly --dns-route53 -d sub.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-route53, Installer None
Attempting to parse the version 1.26.0 renewal configuration file found at /etc/letsencrypt/renewal/sub.domain.com.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sub.domain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub.domain.com/privkey.pem
   Your cert will expire on 2022-07-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

so i guess, that's it? Any chance to verify the autorenewal?

Yes, it's important that you test this with --dry-run, because that will confirm whether renewal will actually work or not.

Due to some technical reasons, doing a force-renewal like you tried just now is not an accurate test.

Try:

sudo certbot renew --cert-name sub.domain.com --dry-run
2 Likes

Ok, thanks, but it's not working:

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for sub.domain.com
Cleaning up challenges
Attempting to renew cert (sub.domain.com) from /etc/letsencrypt/renewal/sub.domain.com.conf produced an unexpected error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/sub.doamin.com/fullchain.pem (failure)

What i did so far:

1. create api/secret api key in route 53`
2. mkdir ~/.aws
3. created file in ~/.aws called config with this content:
[default]
aws_access_key_id=my_key
aws_secret_access_key=my_secret_key
4. certbot certonly --dns-route53 -d sub.domain.com

In route 53 i see "last used: N/A" for this api key. API key is activated.

1 Like

Make sure that ~/.aws/config is /root/.aws/config, not /home/user/.aws/config!

Since Certbot will run and renew as root, it will search in root's home directory.

2 Likes

Ah, sudo and actual root are different users.

To add on that, I don't know what user is running the systemd timers.

ok i guess that was the problem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Credentials found in config file: ~/.aws/config
Plugins selected: Authenticator dns-route53, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for sub.domain.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/sub.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/sub.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

thanks!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.