Certbot dry run errors after fixing TLS-SNI-01 as per documentation

After following the steps outlined in this support document, I attempted a dry run, which produced the following errors:

Processing /etc/letsencrypt/renewal/www.cag.org.in.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (www.cag.org.in) from /etc/letsencrypt/renewal/www.cag.org.in.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.tegi.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/thermalwatch.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/www.cag.org.in/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/old.thermalwatch.org.in/fullchain.pem (success)
/etc/letsencrypt/live/tcn.cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/data.cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/tegi.org.in/fullchain.pem (success)
/etc/letsencrypt/live/cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/www.thermalwatch.org.in/fullchain.pem (success)
/etc/letsencrypt/live/old.cag.org.in/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.tegi.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/thermalwatch.org.in/fullchain.pem (failure)
/etc/letsencrypt/live/www.cag.org.in/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

3 renew failure(s), 0 parse failure(s)

I will be thankful for any suggestions to fix this as it appears that the certs which are due for renewal (and which have all failed the dry run test) may not renew properly. The server is running Ubuntu 14.04 and Apache 2.4.x and the certbot version is 0.28. The Certbot package showed as having been kept back, so I ran apt-get install certbot to upgrade it to 0.28

It seems that some certs may have been obtained "manually".
There is no way to automatically automate that process.
Please review one of the failed cert renewal configs.
Something like (or show it here):
cat /etc/letsencrypt/renewal/www.tegi.org.in.conf

Thank you for the pointer. This is what I get when I open the renewal config:

renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/www.tegi.org.in
cert = /etc/letsencrypt/live/www.tegi.org.in/cert.pem
privkey = /etc/letsencrypt/live/www.tegi.org.in/privkey.pem
chain = /etc/letsencrypt/live/www.tegi.org.in/chain.pem
fullchain = /etc/letsencrypt/live/www.tegi.org.in/fullchain.pem
Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = <acct_key>
pref_challs = dns-01,
manual_public_ip_logging_ok = True

There is no way to renew this cert automatically.
You would need to replace that previous method with another authentication that can be automated.

Please show:
certbot certificates
[to see how we can proceed]

Thank you for walking me through the steps. Here's what that command shows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/www.tegi.org.in/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/thermalwatch.org.in/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/www.cag.org.in/cert.pem is unknown
Found the following certs:
Certificate Name: old.thermalwatch.org.in
Domains: old.thermalwatch.org.in
Expiry Date: 2019-05-14 17:55:54+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/old.thermalwatch.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/old.thermalwatch.org.in/privkey.pem
Certificate Name: tcn.cag.org.in
Domains: tcn.cag.org.in
Expiry Date: 2019-05-14 17:56:06+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/tcn.cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tcn.cag.org.in/privkey.pem
Certificate Name: data.cag.org.in
Domains: data.cag.org.in
Expiry Date: 2019-03-19 17:52:30+00:00 (VALID: 28 days)
Certificate Path: /etc/letsencrypt/live/data.cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/data.cag.org.in/privkey.pem
Certificate Name: tegi.org.in
Domains: tegi.org.in www.tegi.org.in
Expiry Date: 2019-03-26 17:40:50+00:00 (VALID: 35 days)
Certificate Path: /etc/letsencrypt/live/tegi.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tegi.org.in/privkey.pem
Certificate Name: www.tegi.org.in
Domains: www.tegi.org.in
Expiry Date: 2018-01-01 11:22:59+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.tegi.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tegi.org.in/privkey.pem
Certificate Name: cag.org.in
Domains: cag.org.in www.cag.org.in
Expiry Date: 2019-05-10 06:32:39+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cag.org.in/privkey.pem
Certificate Name: www.thermalwatch.org.in
Domains: thermalwatch.org.in www.thermalwatch.org.in
Expiry Date: 2019-05-10 06:32:51+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/www.thermalwatch.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thermalwatch.org.in/privkey.pem
Certificate Name: thermalwatch.org.in
Domains: thermalwatch.org.in
Expiry Date: 2018-01-08 11:03:43+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/thermalwatch.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thermalwatch.org.in/privkey.pem
Certificate Name: old.cag.org.in
Domains: old.cag.org.in
Expiry Date: 2019-05-14 17:56:17+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/old.cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/old.cag.org.in/privkey.pem
Certificate Name: www.cag.org.in
Domains: www.cag.org.in
Expiry Date: 2017-12-15 12:33:00+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.cag.org.in/privkey.pem

The three certs showing as INVALID: EXPIRED are also the ones that failed the dry run after upgrading Certbot to version 0.28. Strangely, there are also valid certs for those three domains!!

Ok we will focus on them one at a time.
First one:
Certificate Name: www.tegi.org.in

Please show the port 443 vhost config file that covers domain.

On second thought…
We may be able to address them all at once.

Please show:
grep -ri fullchain /etc/apache2

Hi @digestlegend

Then you should first check which certificates your websites are using.

Then delete the certificates not used with

certbot delete CertificateName

Perhaps you don't use the not working certificate, so the renew isn't a problem.

PS:

/etc/letsencrypt/renewal/www.tegi.org.in.conf

has the problem. That is expired and has only one domain name.

Yep, you have a Grade E ( tegi.org.in - Make your website better - DNS, redirects, mixed content, certificates )

and you use the certificate with both domain names:

CN=tegi.org.in
	26.12.2018
	26.03.2019
expires in 35 days	tegi.org.in, www.tegi.org.in - 2 entries

So delete that certificate (first, make a copy) you don't use.

@ JuergenAuer
Thank you for the details and commands. I will try deleting one of these invalid certs after backing up. May be the renewal is not a problem at all, as you mentioned.

Thanks. But that command returns an empty line

After further review…

You can replace these expired certs:
Certificate Name: thermalwatch.org.in
Certificate Name: www.cag.org.in
Certificate Name: www.tegi.org.in

With these active certs:

Certificate Name: www.thermalwatch.org.in
Domains: thermalwatch.org.in www.thermalwatch.org.in
Expiry Date: 2019-05-10 06:32:51+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/www.thermalwatch.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.thermalwatch.org.in/privkey.pem

Certificate Name: cag.org.in
Domains: cag.org.in www.cag.org.in
Expiry Date: 2019-05-10 06:32:39+00:00 (VALID: 79 days)
Certificate Path: /etc/letsencrypt/live/cag.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cag.org.in/privkey.pem

Certificate Name: tegi.org.in
Domains: tegi.org.in www.tegi.org.in
Expiry Date: 2019-03-26 17:40:50+00:00 (VALID: 35 days)
Certificate Path: /etc/letsencrypt/live/tegi.org.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tegi.org.in/privkey.pem

Then delete the unused certs with:
certbot delete --cert-name thermalwatch.org.in
certbot delete --cert-name www.cag.org.in
certbot delete --cert-name www.tegi.org.in

And then rerun the --dry-run test.

Thank very much for the suggestions.

I loaded the three sites in a browser and found they are all using the active certs. So, do I really need to replace them in the first place? Or, can I simply go ahead and delete the expired ones?

I took a backup of the LetsEncrypt folder with cp /etc/letsencrypt/ /etc/letsencrypt.backup -r and then proceeded to delete the certs that had expired/were invalid.

The dry run shows perfect results now:

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/old.thermalwatch.org.in/fullchain.pem (success)
/etc/letsencrypt/live/tcn.cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/data.cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/tegi.org.in/fullchain.pem (success)
/etc/letsencrypt/live/cag.org.in/fullchain.pem (success)
/etc/letsencrypt/live/www.thermalwatch.org.in/fullchain.pem (success)
/etc/letsencrypt/live/old.cag.org.in/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Thanks to you and @ JuergenAuer for all the suggestions and commands to help resolve this issue. Much appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.