Certbot auto renew issue

My domain is:

cmsmesh.com-0001.conf content :
Options used in the renewal process
account = abc........
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
manual_public_ip_logging_ok = True

I ran this command:
sudo certbot renew --dry-run --nginx
It produced this output:

Processing /etc/letsencrypt/renewal/cmsmesh.com-0001.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (cmsmesh.com-0001) from /etc/letsencrypt/renewal/cmsmesh.com-0001.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cmsmesh.com-0001/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cmsmesh.com-0001/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)
My web server is (include version):
nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

The following certificate options (mainly the pref_challs setting), set when you first got the certificate:

is not compatible with the:

option. Because the nginx authenticator does not provide the dns-01 challenge.

When I check the certificates for your domain at crt.sh | cmsmesh.com I can see three certs: a non-wildcard due for renewal and a wildcard cert due for renewal and one which is just renewed.

My question to you would be: which one did you want to renew? The wildcard certificate or the non-wildcard certificate? But it seems you already managed to (manually?) renew your wildcard certificate.

Thanks for your response.

yes, i have done via this command :

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --debug-challenges -d cmsmesh.com -d *.cmsmesh.com

My question is, by using the hook that's mean the auto-renew will also works?

Thank you

1 Like

Yes, using the hook enables certbot to auto-renew using the manual plugin. That said, I don't see a --manual-cleanup-hook which is required to delete the TXT records which were added using the --manual-auth-hook. Does that script acme-dns-auth.py also have the ability to delete the TXT records once they aren't necessary any longer? Or is that not required when using acme-dns? (I have no idea..)

1 Like

In fact i pursued this tutorial https://cloudness.net/certbot-dns-challenge/, and sorry i don't have any idea about --manual-cleanup-hook.

So the auto-renew will be launched by pre-installed cron task /etc/cron.d/certbot right?
Tell me if i'm doing something wrong.

Thank you

1 Like

I think you can forget about that cleanup hook. I don't see anything related to that hook on the Github README pages of acme-dns nor that of acme-dns-certbot (the script you're using). So perhaps it isn't required for acme-dns.

It depends on the method you've used to install certbot if there's such a cron task installed or not. For example, on Gentoo there is no such pre-installed cronjob.

1 Like

Thank you for your help.

I see, i'm using ubuntu, and /etc/cron.d/certbot is there, so i hope that i'm doing the right things.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.