Certificate cannnot be renewed automatically

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
backend.saletoeurope.com

I ran this command:
here I was generating a certificate
sudo certbot certonly
--manual
--preferred-challenges=dns
--email abdulmelikambaw619@gmail.com
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir=. --config-dir=. --logs-dir=.
--agree-tos
-d backend.saletoeurope.com

It produced this output:
Saving debug log to /root/letsencrypt.log
Requesting a certificate for backend.saletoeurope.com

Please deploy a DNS TXT record under the name:

_acme-challenge.backend.saletoeurope.com.

with the following value:

C9j1NXf97MPPJGCNKNmXn79tT9r4IAVvHY8NyU7NPlo

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /root/live/backend.saletoeurope.com/fullchain.pem
Key is saved at: /root/live/backend.saletoeurope.com/privkey.pem
This certificate expires on 2024-07-13.
These files will be updated when the certificate renews.

NEXT STEPS:

• This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu(22.04)
My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

the problem is that the out put says the certificate cannnot be renewed automatically
but I want it to renew when I run
cerbot renew

Then you either need to use a different authenicator than --manual or use scripts to add/remove the TXT automatically using hooks. See User Guide — Certbot 2.10.0 documentation for more information.

Every time the certificate gets renewed (60 days apart anyway), there would be a new TXT RR required. And currently you're doing that manually. So obviously that manual step can't be automated, as "manual" is literally the opposite of "automated". Therefore you need to have some way to add/remove the TXT RR automatically to also renew automatically.

I see your DNS provider is DigitalOcean. Certbot has a DNS authenticator plugin for that Welcome to certbot-dns-digitalocean’s documentation! — certbot-dns-digitalocean 0 documentation. So using --manual is not required at all?

Also, you're not requesting a wildcard certificate and your hostname backend.saletoeurope.com is accessible using port 80 (nginx is listening). Why are you using the dns-01 plugin to begin with?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.