Certbot renew command not working as expected

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=vrdemo.evolphin.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:vrdemo.evolphin.com

I ran this command:certbot renew

It produced this output:
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vrdemo.evolphin.com.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (vrdemo.evolphin.com) from /etc/letsencrypt/renewal/vrdemo.evolphin.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vrdemo.evolphin.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vrdemo.evolphin.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version):centos7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.36.0

I have given this command in my cronjob script,simple command also not working giving above error.

What are you using your certificate with? Do you have a web server?

You could try something like:

certbot renew --cert-name vrdemo.evolphin.com --standalone

But the original issue is that the first time you created this certificate, you appear to have performed all of the authentication steps manually (--manual). This means that automatic renewal is not possible, since you are not there to repeat those authentication steps every time.

If you tell Certbot how to perform the authentication automatically (say, in conjunction with a webserver or using --standalone), then renewal will happen on its own.

To know which way is suitable for you, we need to understand a little bit about what kind of server software you are using your certificate with.

Hi

I have run above mentioned command for vrdemo.evolphin.com domain the output is as follows,

*#certbot renew --cert-name vrdemo.evolphin.com --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vrdemo.evolphin.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/vrdemo.evolphin.com/fullchain.pem expires on 2019-10-10 (skipped)
No renewals were attempted.

                                                                              • -*

so we can say for the above domain if we run same command again with in 30 days then it will work?

but same command for my another sub domain that is srdam.evolphin.com giving following error

Valid from
Wed, 03 Jul 2019 13:57:29 UTC
Valid until
Tue, 01 Oct 2019 13:57:29 UTC (expires in 22 days, 3 hours)

*# certbot renew --cert-name srdam.evolphin.com --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/srdam.evolphin.com.conf


Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 64, in _recon
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/storage.py”, line 466, in __ini
self._check_symlinks()
File “/usr/lib/python2.7/site-packages/certbot/storage.py”, line 524, in _chec
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/srdam.evolphin.com/cert.pem to
Renewal configuration file /etc/letsencrypt/renewal/srdam.evolphin.com.conf is b


No renewals were attempted.
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/srdam.evolphin.com.conf (parsefail)


0 renew failure(s), 1 parse failure(s)*

how can we resolve above error,can we clean above certificate ? if so then what is the best way or procedure to clean it and recreate certificate again ?

We are using jetty webserver.

Hi _az
Is there any update on my above issue?

Hi @naf

please read your error message. There is a symlink expected.

So you have changed the Certbot configuration files manual -> then you have to fix the error manual.

Never change such configuration things, the result is a broken configuration.

Hi
We have fixed the above mentioned issue but now facing a new issue as below

Attempting to renew cert (srdam.evolphin.com) from /etc/letsencrypt/renewal/srdam.evolphin.com.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/srdam.evolphin.com/fullchain.pem (failure)

Depends on what’s inside /etc/letsencrypt/renewal/srdam.evolphin.com.conf.

i would guess that the solution to this would be the following, but hard to say for sure:

certbot renew --cert-name srdam.evolphin.com \
--standalone --preferred-challenges http-01

Hi _az
Thanks for your support,As per your suggestion , I have run below command as follows ,but issue changed this time.

[root@srdam-zoom srdam.evolphin.com-0001]# certbot renew --cert-name srdam.evolphin.com-0001 --standalone --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/srdam.evolphin.com-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for srdam.evolphin.com
Waiting for verification…
Challenge failed for domain srdam.evolphin.com
http-01 challenge for srdam.evolphin.com
Cleaning up challenges
Attempting to renew cert (srdam.evolphin.com-0001) from /etc/letsencrypt/renewal/srdam.evolphin.com-0001.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/srdam.evolphin.com-0001/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/srdam.evolphin.com-0001/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: srdam.evolphin.com
    Type: connection
    Detail: Fetching
    http://srdam.evolphin.com/.well-known/acme-challenge/5XGgPyJM-mq87dL17oGPvenNCJurftfGQEZIrjQhrhI:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    [root@srdam-zoom srdam.evolphin.com-0001]# Write failed: Broken pipe
    You have new mail in /var/spool/mail/root

Connecting to http://srdam.evolphin.com/ from the Internet times out.

Could there be a firewall blocking it, or a networking problem…?

We have blocked http, same link is working on https protocol.
https://srdam.evolphin.com

Then you can’t use http validation.

Check

Can you unblock it?

Hi mnordhoff
Thanks for your support,sure I will,but before it I have to take approval from concerned team ,will contact in some time.
Thanks