Certbot-dns-linode in cron: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively

My certificate renewals are failing when run from cron with the message "An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively". I'm confused by this message as I'm using the Linode plugin, not manual.

My domain is: greasyfork.org and sleazyfork.org

I ran this command: (from cron) certbot renew --dns-linode --dns-linode-credentials /path/to/linode.ini

It produced this output:

2021-04-12 15:13:18,047:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 1491
2021-04-12 15:13:18,562:DEBUG:certbot._internal.main:certbot version: 1.14.0
2021-04-12 15:13:18,563:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1093/bin/certbot
2021-04-12 15:13:18,563:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2021-04-12 15:13:18,563:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-linode,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-04-12 15:13:18,585:DEBUG:certbot._internal.log:Root logging level set at 30
2021-04-12 15:13:18,585:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-04-12 15:13:18,586:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/greasyfork.org.conf
2021-04-12 15:13:18,637:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f250e316f10> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f250e316f10>
2021-04-12 15:13:18,681:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-04-12 15:13:18,796:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-04-12 15:13:18,798:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/greasyfork.org/cert3.pem is signed by the certificate's issuer.
2021-04-12 15:13:18,805:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/greasyfork.org/cert3.pem is: OCSPCertStatus.GOOD
2021-04-12 15:13:18,809:INFO:certbot._internal.renewal:Cert not yet due for renewal
2021-04-12 15:13:18,810:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-linode and installer None
2021-04-12 15:13:18,810:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/sleazyfork.org.conf
2021-04-12 15:13:18,847:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-04-12 15:13:18,866:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-04-12 15:13:18,867:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/sleazyfork.org/cert1.pem is signed by the certificate's issuer.
2021-04-12 15:13:18,868:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/sleazyfork.org/cert1.pem is: OCSPCertStatus.GOOD
2021-04-12 15:13:18,868:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-05-02 01:51:18 UTC.
2021-04-12 15:13:18,869:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-04-12 15:13:18,869:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 306.3655354940383 seconds
2021-04-12 15:18:25,322:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2021-04-12 15:18:25,327:DEBUG:certbot._internal.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 158, in prepare
    self._initialized.prepare()  # type: ignore
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/plugins/manual.py", line 91, in prepare
    raise errors.PluginError(
certbot.errors.PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2021-04-12 15:18:25,327:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2021-04-12 15:18:25,327:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None
2021-04-12 15:18:25,327:INFO:certbot._internal.main:Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
2021-04-12 15:18:25,328:ERROR:certbot._internal.renewal:Failed to renew certificate sleazyfork.org with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
2021-04-12 15:18:25,329:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 481, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1239, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/plugins/selection.py", line 224, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/plugins/selection.py", line 328, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

2021-04-12 15:18:25,329:DEBUG:certbot.display.util:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-04-12 15:18:25,329:DEBUG:certbot.display.util:Notifying user: The following certificates are not due for renewal yet:
2021-04-12 15:18:25,329:DEBUG:certbot.display.util:Notifying user:   /etc/letsencrypt/live/greasyfork.org/fullchain.pem expires on 2021-07-08 (skipped)
2021-04-12 15:18:25,329:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2021-04-12 15:18:25,329:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/sleazyfork.org/fullchain.pem (failure)
2021-04-12 15:18:25,329:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-04-12 15:18:25,329:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1093/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1328, in renew
    renewal.handle_renewal_request(config)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 506, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2021-04-12 15:18:25,330:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.2

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.14.0

Hi,

Based on the output, you didn't use dns-linode when you first issued the certificates, so you might need to do a dry-run (or some tests) to instruct certbot use dns-linode.

You can try to renew by adding a new certificate with exact set of hostnames in your existing one and use linode plugin. When there's a prompt asking you want to renew or issue new certificate, choose renew.
sudo certbot certonly --dns-linode --dns-linode-credentials /path/to/linode.ini -d "domain names" --preferred-challenges dns-01 (Add extra domains if you need to)

Do you have the dns-linode plugin installed?

Thank you

1 Like

This is possible. On the initial setup, I was trying a few different things to make it work. As I have 2 domains, I may have done the first one manually and the second with the plugin.

Dry run completes successfully using dns-linode.

$ sudo certbot renew --dry-run --dns-linode --dns-linode-credentials /path/to/linode.ini
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/greasyfork.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-linode, Installer None
Simulating renewal of an existing certificate for greasyfork.org and 3 more domains
Performing the following challenges:
dns-01 challenge for greasyfork.org
dns-01 challenge for sleazyfork.org
dns-01 challenge for www.greasyfork.org
dns-01 challenge for www.sleazyfork.org
Waiting 120 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/greasyfork.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sleazyfork.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-linode, Installer None
Simulating renewal of an existing certificate for sleazyfork.org
Performing the following challenges:
dns-01 challenge for sleazyfork.org
Waiting 120 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/sleazyfork.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/greasyfork.org/fullchain.pem (success)
  /etc/letsencrypt/live/sleazyfork.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Based on this output, I see it's reading from files in /etc/letsencrypt/renewal. Inspecting these files, one domain had authenticator = manual and the other authenticator = dns-linode. I've modified the [renewalparams] section of the one that had manual to match the other. We'll see if that fixes it.

1 Like

Glad you figured it out!

Also, thank you for hosting the two amazing sites!

Hm, I thought that any command on the command line would override the renewal configuration parameters?

That said I think it's unwise to have those extra command line options in your actual cronjob. The cronjob renewal should IMO just use the renewal configuration files whereas if you'd like to change anything in the way a certificate gets issued/renewed, you should do that manually on the command line. Not from the command in cron.

1 Like

I don't remember exactly what I did months ago when I set it up - whether I installed that cron manually or certbot did. At the very least, it's confusing that it will allow those parameters but not heed them.

In any case, the renewal ran successfully through cron after I made the modifications to the file under the renewal directory. Thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.