Certbot-auto renew fail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: phonekeeper.kr,.phonekeeper.kr,safebilling.co.kr,.safebilling.co.kr

I ran this command:
I runned “certbot-auto certonly --manual -d phonekeeper.kr,.phonekeeper.kr,safebilling.co.kr,.safebilling.co.kr”
on May 26, 2020 and installed the SSL certificate.

And then i runned “certbot-auto renew” on August 3, 2020 for renewal

It produced this output:
[root@PROD_PKWEB1 system]# certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/safebilling.co.kr.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (safebilling.co.kr) from /etc/letsencrypt/renewal/safebilling.co.kr.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/safebilling.co.kr/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/safebilling.co.kr/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache 2.4

The operating system my web server runs on is (include version):
centos-release-7-4.1708.el7.centos.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
use linux shell command

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.6.0

1 Like

Hi @kyuyoung

please read your error message. You have used --manual, so you can’t use renew without an additional script. Use --manual again.

1 Like

I don’t know what you are doing, I don’t know your configuration. So I don’t know what happens if you use that command.

Please read a lot of required basics:

1 Like

Hi @kyuyoung,

It is fine to renew your certificate interactively by repeating the certonly command. Make sure that the list of domains you specify there is exactly the same as the original.

With wildcard names, automated or unattended renewal (which is what certbot renew is aimed at) can’t be achieved unless you have a DNS API to allow Certbot or another ACME client to update your DNS records from software. DNS record changes are required for wildcard certificate issuance, including for issuing certificates as a renewal of an old wildcard certificate. certbot renew refuses to try to perform renewals when they require any step that involves human intervention, which is always true for DNS record changes unless you have a script or Certbot plugin that can make these changes entirely from software. (Many people do successfully use Certbot that way, but it depends on your DNS provider.)

Your old certificate never needs to be revoked unless it becomes inaccurate or its private key is compromised. New certificates don’t contradict old certificates; they can, and should, have overlapping validity.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.