Certbot no longer renewing, no error, stuck on manual-auth-hook

bartgrefte · December 3, 2021, 1:22pm

Somewhere in the last couple of months certbot (snap) stopped working and I cannot figure out why due to the lack of an error.

All I have been able to figure out is that it won't get past this:

INFO:certbot.compat.misc:Running manual-auth-hook command: /home/pi/certificates/certbot-auto-authenticator.sh

(As for the filename, I originally used certbot-auto, untill it was no longer supported.)

That script uses curl to send the values for DNS verification to an externally hosted PHP script that creates the TXT records needed for verification. The TXT records are no longer created, nor does curl give any output.

This PHP script has been working fine for years and as far as I know, nothing has changed in the last couple of months, so I have nothing to go on to solve this. I checked the logs of the webserver the script is running on, no errors.

Currently certbot is attempting a dry-run, but the last output is

Simulating renewal of an existing certificate for domain.tld and *.domain.tld

Based on the output of ps aux | grep certbot and certbot's log it's stuck again on manual-auth-hook.

Is there any way to get certbot to generate more output so that I can figure out what's going wrong?

Raspbian 9 (yes, I know it's not the most recent)
certbot 1.21.0
certbot config:

renew_before_expiry = 30 days

version = 1.19.0
archive_dir = /etc/letsencrypt/archive/domain.tld
cert = /etc/letsencrypt/live/domain.tld/cert.pem
privkey = /etc/letsencrypt/live/domain.tld/privkey.pem
chain = /etc/letsencrypt/live/domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = ********************************
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
manual_auth_hook = /home/pi/certificates/certbot-auto-authenticator.sh
manual_cleanup_hook = /home/pi/certificates/certbot-auto-cleanup.sh
post_hook = /home/pi/certificates/certbot-auto-reload.sh

As for certbot's logs, all I could find was that during the last run (on the 27th of November) the last thing it did was trying to run manual-auth-hook for renewing, then nothing, till I killed certbot that turned out to be still running a week later, still hanging on manual-auth-hook.

bartgrefte · December 3, 2021, 2:02pm

... turns out it was a root certificate issue, had to convince Raspbian to stop using DST_Root_CA_X3.crt and start using ISRG_Root_X1.crt.

system · January 2, 2022, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.