Certbot renew throws an error

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/abc.xyz.ca.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ivari.continentalpress.ca
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/abc.xyz.ca/fullchain.pem

Processing /etc/letsencrypt/renewal/abcdef.ca.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (wfgdc.ca) from /etc/letsencrypt/renewal/abcdef.ca.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/abcdef.ca/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/abc.xyz.ca/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/abcdef.ca/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

On the server there is cron job "21 9 * * * certbot renew --post-hook “service apache2 reload” which run this command to renew the certificates automatically.

I am new to certbot and I don’t know how to fix this error. I will really appreciate your help.

It looks like you used --manual to issue the wildcard certificate for wfgdc.ca.

The consequence of doing this is that you cannot automatically renew the certificate.

Automatically renewing wildcard certificates generally require that you use a DNS provider that provides a programmatic interface/API to deploy TXT records. I don’t think that domainsatcost/rebel.com meet the requirements to make this possible.

You have some choices to resolve this:

First is to manually re-issue the certificate:

certbot certonly --cert-name "wfgdc.ca" -d "wfgdc.ca" -d "*.wfgdc.ca" \
--manual --preferred-challenges dns-01

Alternatively, you could try changing DNS providers to a DNS host that supports renewing wildcard certificates automatically. You can find some choices in this thread.

Finally, consider whether you really need a wildcard certificate to begin with. If you can get away with not using one, you can avoid this entire problem and use normal HTTP-based renewal, like you’ve done with your other domain.

Thank you for quick response.

If I manually re-issue the certificate then I guess I have do it every time its about to expire. this option will not work for me.

I am using Dyn for the DNS, which is in the list of DNS hosts which supports automatic renewing wildcard certificates.

The setup worked fine in past. This problem arise only this time. If you need any addition details please let me know.

Are you? That's not what I see when I check your nameservers. Maybe they are white-labelled ... but it doesn't seem like it.

I'm inclined to believe that it only worked when you manually issued it. Certbot doesn't have any Dyn integration for now, so it would have no way of performing renewals automatically.

You'd need to either select an ACME client that supports it out of the box (like acme.sh or lego) or write some authentication hooks for Certbot to achieve the task.

Thank you. I have manually re-issue the certificate as per your instructions and it works.

You was right, DYN wasn’t DNS server. It was rebel. I will change my DNS sever in order to automate it for future.

Once again, thank you very much for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.