I have created my working config for Centos 7 and pointed all the applications to the letsencypt .pem certificates/keys. Authentication is done via DNS. I’m now in the position where I would like to update automatically. I have a domainname.conf file under renewal.
However when I attempt a certbot renew --dry run I get:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: run
So I’m unsure what parameters to pass to have my system just updated with the current settings.
Also I have 2x domain defined (+ 2x wildcard references) however I don’t see them recorded in the automatically generated /renewal/domainname.conf
Re-running the command * certbot renew --dry I now get this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/moreale.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (moreale.net) from /etc/letsencrypt/renewal/moreale.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moreale.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moreale.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
P.S. I haven’t changed anything just re-run after 10 min.
It's --dry-run, with a hyphen between dry and run, not a space.
Certbot gets that information out of the certificates themselves, so the config file doesn't need to include it.
Right -- certificates issued using manual validation can't be renewed by "certbot renew". (And "certbot renew --dry-run" will display the same error that "certbot renew" would.)
You need to either automate DNS validation -- by using a DNS provider with an existing plugin or manual auth hook, or writing your own -- or stop using wildcards and DNS validation.
It is actually renew --dry-run I was using it 's just a copy/paste typo.
My current DNS provider is dyndns.org which as I understand is not supported?
I could avoid using wildcards and add all the subdomains manually, I don’t mind. Would I have to delete the live folder, the content of csr and keys, and and re-run the initial command with precise subdomain definition?
Great! after I switched to apache the --dry-run looks good now! e.g. no errors and a polite warning it’s not time to update yet. So spot on!
I think I will still need to switch DNS provider for a different reason, e.g. my lifetime DynDNS membership is now marked as expiring May 2020, lol!
A very final question if I might: what is the best way to schedule this and how often? I have found somebody asking the same question but I know things change quickly so prefer to be sure. Would something like this be acceptable within the crontab?
It's a real pity that so many useful online services—for-profit and non-profit alike—have ended up disappearing so quickly.
"All things are impermanent. Few things are more impermanent than the contents of sites on the World Wide Web." — Peter D. Junger (on a web site which went offline after he died in 2006)