Certificate renewal failed

Hey guys,

I just tried to renew our certificate using:

sudo letsencrypt renew

And got this:


Processing /etc/letsencrypt/renewal/example.com.conf


Cert is due for renewal, auto-renewing…

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)

Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

What can I do so it can be renewed?

Thanks

Hi @glossjorge

you have used --manual in your last command. So you can’t use renew if you don’t have a working script.

So use the previous complete command again - with --manual.

So if I run the full command without --manual “renew” alone should work, correct?

Then your command may not work.

But speculation isn't helpful. There is a standard template:

--

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Additional: Please share your config file.

But it did, I just ran:

sudo certbot certonly -i apache -d "*.example.com" -d example.com --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns

Edited my DNS record (This is what I’m trying to avoid Avery time I renew)

And it worked, I have a new certificate now, but the thing is, next time I have to renew, will it allow me to just run sudo letsencrypt renew?

That’s a wildcard certificate, so dns-01 validation is required. So you can’t switch to another validation method.

And dns-01 validation requires a new DNS TXT entry.

So if your domain provider doesn’t support an API and if you don’t have a working certbot plugin (which works with that API), you have to use --manual.

1 Like

Yeah, it’s for multiple sites, all in the same domain, so a wildcard is much easier than a cert for each site.

Thanks for your help.

Nope, certbot renew is only for noninteractive renewals. Certificates created with --manual can't be renewed noninteractively unless you can create an authentication script to handle the DNS record creation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.