Certificate Renewal Help

Hello, I'm new to working on renewing a certificate. The person who was in charge of it before only provided me with the basics. Any help is appreciated.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ascella.bio

I ran this command: sudo certbot renew

It produced this output: Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

My web server is (include version): Ubuntu 20.04

The operating system my web server runs on is (include version): macOs 12.2.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This message means that, when you originally obtained your cert, you used manual mode. As the name suggests, manual mode isn't automatic, and automatic is what certbot expects to do for renewal. You'll need to reissue the cert the same way you originally issued it.

Hello @number, welcome to the Let's Encrypt community.

Using this online tool https://crt.sh/ here is a list of issued certificates for the domain name crt.sh | ascella.bio.
Recent issued certificates have been from C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA.
2022-09-22 was the last time a certificate for the domain was issued from Let's Encrypt.
We are here to help you, it does not matter that the recent certificates are not from Let's Encrypt.

Actually that is the Operating System that the web server is running on.
We are looking for something like Apache or nginx or one of the many other web servers.

Oh that's good to know. Is there a way to know how my certificate was originally issued? I was not the one who issued it originally.

Using this online tool SSL Server Test (Powered by Qualys SSL Labs) you can see the certificate currently being served as well as a plethora of other information SSL Server Test: ascella.bio (Powered by Qualys SSL Labs)

Yeah that is correct. The last one issued was from 2022-09-22, which is our domain. It just expired two weeks ago while we were on Christmas break. I think we are using nginx.

The contents of /etc/letsencrypt/renewal/[domain].conf may help here.

Looks like this certificate crt.sh | 7604078279 is a wildcard certificate.
7604078279 2022-09-22 2022-09-22 2022-12-21 *.ascella.bio *.ascella.bio C=US, O=Let's Encrypt, CN=R3

Which means it would have had to use the DNS-01 Challenge.

I see. Thank you for the information. So in order to make a renewal, I will need to use DNS-01 Challenge command?

I have tried this command
sudo certbot certonly --manual -d ascella.bio -d *.ascella.bio --preferred-challenges=dns
but I got this output

Challenge failed for domain ascella.bio
Challenge failed for domain ascella.bio
dns-01 challenge for ascella.bio
dns-01 challenge for ascella.bio
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: ascella.bio
  Type: dns
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.ascella.bio - check that a DNS record exists for
  this domain

  Domain: ascella.bio
  Type: dns
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.ascella.bio - check that a DNS record exists for
  this domain

Somewhere in the output it should have instructed you to create two DNS TXT records. You need to actually do that.

Can we back up a bit? Your website is hosted by wix and has a valid cert from Sectigo right now.

It looks like sometime in the past you used Cloudflare and perhaps your own server. We can see this from your cert history (link here).

Why do you think you need a new cert? You could be creating trouble where none exists.

I don't know wix personally but usually such "website builder" sites manage certs for you.

I don't know if this helps, but the person who did this before told me to use this command to renew the certificate. Apparently we are using amazon aws for it.

$ sudo docker run --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -e "AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXX" -e "AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXX/Db" certbot/dns-route53 renew

Oh I think you are looking at the wrong website. It should be ascella.bio from 09-22-2022 to 12-21-2022.

No, I am looking at your website. It is using the Sectigo cert that was issued Dec19.

What you are referring to is a cert. But, it is not currently being used by your website as far as I can tell. Use a site like this SSL Checker to see the cert your site is using:

Further, when I look at the HTTP response headers from your site it shows you are using a complex infrastructure. Even if you could get a new cert do you have any idea how you would update this infrastructure to use it?

I include this not for your benefit but for other volunteers so they are aware

curl -I https://www.ascella.bio

(numerous headers removed to focus on key parts)
HTTP/2 200
x-wix-request-id: 1672799835.955871817885619094
server-timing: cache;desc=hit, varnish;desc=hit, dc;desc=use1_g
server: Pepyaka/1.19.10
via: 1.1 google

www.ascella.bio and ascella.bio do not respond the same.
For one has www.ascella.bio Server: Pepyaka/1.19.10 and ascella.bio does not have a Server:

~$ curl -Ii http://www.ascella.bio/.well-known/acme-challenge/testfile
HTTP/1.1 404 Not Found
Date: Wed, 04 Jan 2023 03:47:43 GMT
Content-Length: 0
X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/Ez7hJe1u/kpm5WH3xUpWa7,qquldgcFrj2n046g4RNSVCNKLVUKZM2R4KAWiM9xZWNYgeUJqUXtid+86vZww+nL,7EIX/IwEzpj2jL+X/Xh763Q0mrEjqTqRXSgZeumZ2SHoItXLP6J8VIGULVpBpkk8x2KLK5b6ULp+AyXxuP88wg==,osV03DUdKaEVOGwoQFgPYrIkDZCChYtTNUpj8Lg2BBw=,sQ19iEk473qMiaixh4sATp2ilnWUU8kwXPI7BKd5ZCo=
X-Wix-Request-Id: 1672804063.885671542172625795
set-cookie: XSRF-TOKEN=1672804063|qpvpZWqHA3Zi; Path=/; Domain=www.ascella.bio; Secure; SameSite=None
X-Content-Type-Options: nosniff
Server: Pepyaka/1.19.10
Via: 1.1 google

$ curl -Ii http://ascella.bio/.well-known/acme-challenge/testfile
HTTP/1.1 404 Not Found
Date: Wed, 04 Jan 2023 03:47:50 GMT
Content-Length: 0
Connection: keep-alive
X-Seen-By: Qizr2MOzfO8jjTBKBVmOj6nPWIDxfKj16yM6xXYJ3IE=,GXNXSWFXisshliUcwO20Naon851uhK6HRsxREnrEO9asn5WjbOcu3V3y9B6sMFtNmuOkfcTSJaUOHlD2KQbqrA==,m0j2EEknGIVUW/liY8BLLjYvXQYrV/LrhbkNY01ADWAG/hKs8AeY1T4OIbgnD+yx,qYxvFa0bBL43z6b6TutC4XqIvTlAqKXCf5rY20IGqPoOIv81siZFFg8Zg0+ti17j3dT2lz3jDH0E2kbcncLNRQ==,R8nVwPJv9QJL1m78OROO+KZuL85TFI08BXLfrpO9Kg4=,ha2BjfnpoaWsa89DnyiXUKuifEqMgF2rcHnn3iXwIMlYgeUJqUXtid+86vZww+nL
X-Wix-Request-Id: 1672804070.1374828262973425195
set-cookie: XSRF-TOKEN=1672804070|VLjrhSMjeyF1; Path=/; Domain=ascella.bio; Secure; SameSite=None
X-Content-Type-Options: nosniff
Set-Cookie: TS01e85bed=01b84e286aec3bb584f420dd4c68d2b81bc8d58d35ee553951835a1e10e6b094e35b704a446253f27225000af831aad989cd992d59; Path=/; SameSite=none; Secure
Set-Cookie: TS01efa317=01b84e286adcbb112c044f4e25b644223aa4cef99eee553951835a1e10e6b094e35b704a44ad4dfe514b2f60a35c5df16aa3c0e119783431bb97243a298006285bb93e781c; path=/; domain=ascella.bio; SameSite=none; Secure

nmap differences as well

$ nmap ascella.bio
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 03:46 UTC
Nmap scan report for ascella.bio (185.230.63.171)
Host is up (0.019s latency).
Other addresses for ascella.bio (not scanned): 185.230.63.107 185.230.63.186
rDNS record for 185.230.63.171: unalocated.63.wixsite.com
Not shown: 992 closed ports
PORT    STATE    SERVICE
25/tcp  filtered smtp
80/tcp  open     http
82/tcp  open     xfer
83/tcp  open     mit-ml-dev
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

$ nmap www.ascella.bio
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 03:46 UTC
Nmap scan report for www.ascella.bio (199.15.163.148)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.92 seconds

That's interesting how the HTTP Challenge URL's are handled. I think this is all still wix infrastructure.

Their best place to ask about their site is from wix support.

nslookup www.ascella.bio

www.ascella.bio canonical name = gcdn0.wixdns.net.
gcdn0.wixdns.net        canonical name = td-ccm-168-233.wixdns.net.
Name:   td-ccm-168-233.wixdns.net
Address: 34.117.168.233

nslookup ascella.bio

Address: 185.230.63.171
Address: 185.230.63.186
Address: 185.230.63.107

dig +noall +answer -x 185.230.63.171
71.63.230.185.in-addr.arpa. 68 IN      PTR     unalocated.63.wixsite.com.

Note: "normal" website requests all redirect from apex to www

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.