Cant renew certificate for google app engine

My domain is: www.tunity.com/tunity.com

I ran this command: certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

2018-05-01 08:53:48,225:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/disco.py", line 130, in prepare
self._initialized.prepare()
File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/manual.py", line 118, in prepare
self.option_name('auth-hook')))
PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2018-05-01 08:53:48,226:DEBUG:certbot.plugins.selection:No candidate plugin
2018-05-01 08:53:48,226:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2018-05-01 08:53:48,226:INFO:certbot.main:Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
2018-05-01 08:53:48,227:WARNING:certbot.renewal:Attempting to renew cert (tunity.com) from /etc/letsencrypt/renewal/tunity.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
2018-05-01 08:53:48,227:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/certbot/renewal.py", line 425, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1058, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/selection.py", line 201, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/selection.py", line 297, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

2018-05-01 08:53:48,227:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-05-01 08:53:48,228:ERROR:certbot.renewal: /etc/letsencrypt/live/tunity.com/fullchain.pem (failure)
2018-05-01 08:53:48,228:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1240, in main
return config.func(config, plugins)
File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1142, in renew
renewal.handle_renewal_request(config)
File "/usr/local/lib/python2.7/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)


Processing /etc/letsencrypt/renewal/tunity.com.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (tunity.com) from /etc/letsencrypt/renewal/tunity.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tunity.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/tunity.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Google App Engine

I can login to a root shell on my machine (yes or no, or I don't know): no

It seems you initially setup the certificate using --manual
The manual process requires interaction on renewals.
This is from the docs:
--manual Obtain certificates interactively, or using shell script hooks
Have you verified the renewal process to have worked before?
Did it recently start failing or is this the first renewal?

This is the first renewal.
So how can I renew it? I tried to run certbot renew --manual and got the same error…

Hmmm…
How did you get the initial cert?

Show:
/etc/letsencrypt/renewal/tunity.com.conf

I ran certbot --manual certonly and manually entered the domain and inserted acme-challenge file into the website operated by google app engine.

This is the content:

# renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/tunity.com
cert = /etc/letsencrypt/live/tunity.com/cert.pem
privkey = /etc/letsencrypt/live/tunity.com/privkey.pem
chain = /etc/letsencrypt/live/tunity.com/chain.pem
fullchain = /etc/letsencrypt/live/tunity.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = 888888888888888888888888888888888
manual_public_ip_logging_ok = True

Also, the server where I manually created the certificate, is the same server from which I’m trying to renew the certificate

You can run the same command again to renew the certificate.

“certbot renew” only does things that are entirely automated – including “certbot certonly --manual” with a “--manual-auth-hook” – and refuses to handle manual certificates.

Can you move to one of the non-manual configurations? Why did you use manual mode originally?

Sorry I did not understand your replay…
What do you mean by saying

  Can you move to one of the non-manual configurations?

And I used manual mode originally because the website is hosted on google app engine, I dont have access to the server where the website is served, so I had to manually create the certificate.

like using
–apache
–nginx
–dns
–standalone

I’m not sure if it is part of the problem, but the DNS for your domain seeks a bit off.
In some cases it resolves to IPv4 addresses that are not responsive and some names fail to resolve via their IPv4 DNS servers.

You might want to try using the
–dns
method.

nslookup -q=ns tunity.com
tunity.com nameserver = ns73.domaincontrol.com
tunity.com nameserver = ns74.domaincontrol.com
ns73.domaincontrol.com internet address = 216.69.185.47
ns73.domaincontrol.com AAAA IPv6 address = 2607:f208:206::2f
ns74.domaincontrol.com internet address = 208.109.255.47
ns74.domaincontrol.com AAAA IPv6 address = 2607:f208:302::2f

nslookup www.tunity.com 216.69.185.47
Server: UnKnown
Address: 216.69.185.47
Name: www.tunity.com
<empty>

Sorry but I dont really understand your replay.
I have issue renewing the certificate- and moving the website to a different hosting or behind nginx/apache is not an option for me currently.

Even if you can’t, you could defer the /.well-known/acme-challenge/ validation requests to an alternate dedicated validation system.
Or use the --dns plugin method

Using the --dns plugin still gives me error.
Letsencrypt supposed to work properly with google’s app engine service, as stated in their website- probably they have not tested it on all use cases before releasing the blogpost :confused:

From my perspective, it seems that most of the problem is being caused/controlled by the CDN provider.
I would have a talk with them about their best method/practice to get the results your looking for.

According to this, Google App Engine has its own built-in certificate management functionality. Is there a particular reason you don't want to use that?

2 Likes

Thanks a lot!!
In the past we had some issues in verifying the domain ownership.
I tried again to verify ownership, succeeded and changed the SSL certificate to be issues by google.

@rg305 and @mnordhoff thanks for your replays and help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.