Centos7 - creation of certificate = OK, how to set up autoupdate now?

I have created my working config for Centos 7 and pointed all the applications to the letsencypt .pem certificates/keys. Authentication is done via DNS. I’m now in the position where I would like to update automatically. I have a domainname.conf file under renewal.
However when I attempt a certbot renew --dry run I get:

usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: run

So I’m unsure what parameters to pass to have my system just updated with the current settings.

Also I have 2x domain defined (+ 2x wildcard references) however I don’t see them recorded in the automatically generated /renewal/domainname.conf

Am I missing anything?
Thanks!

Hi @wellloaded

if you have used dns-01 validation, what's your complete command you have used?

With the --manual option you can't renew certificates automatic. Your dns provider must support an API, Certbot must support that API.

What's the content of your conf files?

Original command:

certbot certonly --manual --preferred-challenges dns -d *.moreale.net -d moreale.net -d *.pilatesfitness.co.uk -d pilatesfitness.co.uk

Content of the renew/moreale.net.conf

# renew_before_expiry = 30 days
version = 0.34.2
archive_dir = /etc/letsencrypt/archive/moreale.net
cert = /etc/letsencrypt/live/moreale.net/cert.pem
privkey = /etc/letsencrypt/live/moreale.net/privkey.pem
chain = /etc/letsencrypt/live/moreale.net/chain.pem
fullchain = /etc/letsencrypt/live/moreale.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
account = 87193ae6982fb57e9a744965fa666f5b
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Re-running the command * certbot renew --dry I now get this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/moreale.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (moreale.net) from /etc/letsencrypt/renewal/moreale.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/moreale.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/moreale.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

P.S. I haven’t changed anything just re-run after 10 min.

It's --dry-run, with a hyphen between dry and run, not a space.

Certbot gets that information out of the certificates themselves, so the config file doesn't need to include it.

Right -- certificates issued using manual validation can't be renewed by "certbot renew". (And "certbot renew --dry-run" will display the same error that "certbot renew" would.)

You need to either automate DNS validation -- by using a DNS provider with an existing plugin or manual auth hook, or writing your own -- or stop using wildcards and DNS validation.

It is actually renew --dry-run I was using it 's just a copy/paste typo.

My current DNS provider is dyndns.org which as I understand is not supported?

I could avoid using wildcards and add all the subdomains manually, I don’t mind. Would I have to delete the live folder, the content of csr and keys, and and re-run the initial command with precise subdomain definition?

It's not officially supported by Certbot, anyway. :slightly_frowning_face: I don't know if there are any third-party integrations.

The ACME client acme.sh has a Dyn plugin, but I don't know if the plugin is currently maintained, or if it's compatible with all Dyn account types.

You don't have to delete anything first, but you do have to run a similar command to what you used to create the certificate. Something like:

sudo certbot --apache --cert-name moreale.net -d moreale.net -d www.moreale.net -d pilatesfitness.co.uk -d www.pilatesfitness.co.uk

With additional -d options for every other subdomain you want to include.

(I don't know if you're using Apache, or if the apache plugin would be best in your situation. It's just an example.)

Edit: This might be a good opportunity to move to a different DNS service:

1 Like

Cool thanks run the command as advised with no wildcards and specific domains. Now my renewal/moreale.net.conf file looks like this:

/etc/letsencrypt/renewal#more moreale.net.conf
# renew_before_expiry = 30 days
version = 0.34.2
archive_dir = /etc/letsencrypt/archive/moreale.net
cert = /etc/letsencrypt/live/moreale.net/cert.pem
privkey = /etc/letsencrypt/live/moreale.net/privkey.pem
chain = /etc/letsencrypt/live/moreale.net/chain.pem
fullchain = /etc/letsencrypt/live/moreale.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
account = 87193ae6982fb57e9a744965fa666f5b
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache

I read what you wrote, but I’m still unclear on what are the auto-update restrictions here. Is DNS still an issue now that I have switched to apache?

P.S. I will look into a new DNS service however it needs to support dynamic. Any tip/preference?

Thanks!!

1 Like

If you use the apache authenticator, you don't use dns-01 validation. Instead, you use http-01 validation.

So a running webserver is enough.

PS: So you don't need a new dns provider.

1 Like

Great! after I switched to apache the --dry-run looks good now! e.g. no errors and a polite warning it’s not time to update yet. So spot on!

I think I will still need to switch DNS provider for a different reason, e.g. my lifetime DynDNS membership is now marked as expiring May 2020, lol!

A very final question if I might: what is the best way to schedule this and how often? I have found somebody asking the same question but I know things change quickly so prefer to be sure. Would something like this be acceptable within the crontab?

43 3 * * 6 root certbot renew --renew-hook "systemctl reload httpd"" --renew-hook "systemctl reload postfix"" --renew-hook "systemctl reload dovecot" --renew-hook "systemctl restart assp" -q >> /var/log/certbot-renew.log | mail -s "CERTBOT Renewals" me@myemail.com  < /var/log/certbot-renew.log

Many thanks again for the help! I really appreciate :slight_smile:

2 Likes

It's a real pity that so many useful online services—for-profit and non-profit alike—have ended up disappearing so quickly. :frowning:

"All things are impermanent. Few things are more impermanent than the contents of sites on the World Wide Web." — Peter D. Junger (on a web site which went offline after he died in 2006)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.