Certbot automatic certificate renewal process

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *smartbear.io

I ran this command: sudo certbot renew --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smartbear.io.conf

Simulating renewal of an existing certificate for *.smartbear.io

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: smartbear.io

Type: unauthorized

Detail: Incorrect TXT record "HFdXuFlYQtvvvv9R5aECIn7qSXQOdVVFZ0tC6H7zJeE" found at _acme-challenge.smartbear.io

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Failed to renew certificate smartbear.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/smartbear.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): openvpn server

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

sudo certbot --version

certbot 4.1.1

2

I have renewed the certificate manually now i want to automate the process . How i can automate the reneweal process on exisiting certifcate which was renewed manually

3

Look at using the Route53 plugin for Certbot to automate your DNS Challenge

2 Likes
4

Thank you Mike !

I have renewed the certificate manually and now it is valid for 90 days . but now i want to automate the things with existing certifcate so that next renewal to be automatic . I am using Lets encrpyt certficate

5

Yes, I understand. Which is why I suggested the Route 53 plugin. Have you read that documentation I linked to? what specific questions do you have

2 Likes
6

Yes i have read ..I have questions -
1 - Will i have to run this command on existing setup for wild certificate
certbot certonly
--dns-route53
-d *.example.com

2 - Will it impact existing configuration

7

What was the original command you used to get your cert? Not the renew but the original.

Also, please show output of this

sudo certbot certificates
2 Likes
8

I had used below mentioned command to renew the certificate maunally .
sudo certbot certonly --manual
--preferred-challenges=dns
--email [redacted]@smartbear.com
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos
-d "*.smartbear.io"

1 - certbot certificate output -
Certificate Name: smartbear.io
Domains: *.smartbear.io
Expiry Date: 2024-10-23 07:34:39+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/smartbear.io/fullchain.pem
Private Key Path: /etc/letsencrypt/live/smartbear.io/privkey.pem

1 Like
9

Then yes using this is correct

sudo certbot certonly --dns-route53 -d "*.smartbear.io"

It will get a new certificate and update your renewal config file so the Certbot renew works automatically

Follow the instructions to setup Route53 credentials first

2 Likes
10

Okay cool ! and once it is configured how to verify that auto renewal is working with dns plugin

1 Like
11

Same as you did before

Ubuntu usually already has a systemd timer to run the renew. You can check if yours is setup correctly here: User Guide — Certbot 5.0.0.dev0 documentation

1 Like
12

[quote="MikeMcQ, post:9, topic:239354"]
`Okay ,I am getting below error now
sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smartbear.io.conf

Failed to renew certificate smartbear.io with error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/smartbear.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@ip-10-100-10-4:~#

13

What was the result of using Route53 plugin? Because it looks like that failed and so did not replace your manual renewal config

1 Like
14

After enable manual-auth-hook , I am getting below error also i was trying to update DNS record but it is conflicting with exiiting txt reccord and i can not delete that as that is being used

udo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smartbear.io.conf

Simulating renewal of an existing certificate for *.smartbear.io

Hook '--manual-auth-hook' for smartbear.io ran with output:

Please add the following CNAME record to your main DNS zone:

_acme-challenge.smartbear.io CNAME 2521670b-e557-430f-a595-7c0f3a693bd7.auth.acme-dns.io.

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: smartbear.io

Type: unauthorized

Detail: Incorrect TXT record "HFdXuFlYQtvvvv9R5aECIn7qSXQOdVVFZ0tC6H7zJeE" found at _acme-challenge.smartbear.io

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Failed to renew certificate smartbear.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/smartbear.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

15

Oh, I was suggesting using the Route53 plugin. I see you chose to use a different method. Why wasn't the Route53 option good?

Being used by what? The _acme-challenge TXT record is used only briefly while the challenge is tested. Once the cert request completes the TXT record is no longer needed and should be deleted.

2 Likes
16

I had installed the plugin - certbot-dns-route53 successfully and ran below command

sudo certbot certonly --dns-route53 -d "*.smartbear.io"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/smartbear.io.conf)

What would you like to do?

1: Keep the existing certificate for now

2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Certificate not yet due for renewal; no action taken.

17

You should have chosen option 2 to replace it. This is needed to prove it works and when it does it will update your renewal config too.

2 Likes
18

Does it mean cert will be renewed automatically now also i can see TXT recored is deleted .now there is no acme* txt record on route53

sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smartbear.io.conf

Simulating renewal of an existing certificate for *.smartbear.io

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/smartbear.io/fullchain.pem (success)

root@ip-10-100-10-4:~# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/smartbear.io.conf

Simulating renewal of an existing certificate for *.smartbear.io

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/smartbear.io/fullchain.pem (success)

19

Yes, as long as the systemd timer and/or cronjob is setup to run the renew command. I previously gave a link that showed how you can check that. Again: User Guide — Certbot 5.0.0.dev0 documentation

The timer is probably correct. You can also check back in 61 days and make sure the renewal worked. The Certbot v4.1 default is to renew a 90-day cert when it has less than 1/3 of time left before expiration (so with less than 30 days remaining).

1 Like
20

Thank you so much Mike !! Last Question -

When next time certificate will be renewed that time any DNS record will be created on Route53 ? I mean how this validation works if no record on route 53

1 Like