Certificate renewal failed

Hey guys,

I just tried to renew our certificate using:

sudo letsencrypt renew

And got this:

Processing /etc/letsencrypt/renewal/example.com.conf

Cert is due for renewal, auto-renewing…

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)

Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

What can I do so it can be renewed?

Thanks

Hi @glossjorge

you have used --manual in your last command. So you can’t use renew if you don’t have a working script.

So use the previous complete command again - with --manual.

So if I run the full command without --manual “renew” alone should work, correct?

Then your command may not work.

But speculation isn't helpful. There is a standard template:

--

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Additional: Please share your config file.

But it did, I just ran:

sudo certbot certonly -i apache -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns

Edited my DNS record (This is what I’m trying to avoid Avery time I renew)

And it worked, I have a new certificate now, but the thing is, next time I have to renew, will it allow me to just run sudo letsencrypt renew?

That’s a wildcard certificate, so dns-01 validation is required. So you can’t switch to another validation method.

And dns-01 validation requires a new DNS TXT entry.

So if your domain provider doesn’t support an API and if you don’t have a working certbot plugin (which works with that API), you have to use --manual.

Yeah, it’s for multiple sites, all in the same domain, so a wildcard is much easier than a cert for each site.

Thanks for your help.

Nope, certbot renew is only for noninteractive renewals. Certificates created with --manual can't be renewed noninteractively unless you can create an authentication script to handle the DNS record creation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.