Certificates can be updated even with a nonsensical manual-auth-hook script

Help
1

I will try to renew certificates with Certbot, but don’t understand what manual-auth-hook should be used.

If the manual-auth-hook script is a nonsensical command, certificates can be renewed with it.

I have a question.
・Why is it possible to renew the certificate even with manual-auth-hook, which obviously does not work?
・When is a normal manual-auth-hook necessary?

Thanks.

My domain is:
*.ken2.smartdb.jp

I ran this command:

certbot certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.mydomain.jp \
-d mydomain.jp \
-m my@mailaddr.jp \
--agree-tos \
--manual-public-ip-logging-ok

Then

certbot renew --force-renewal --manual-auth-hook "echo abcd"

It produced this output:
(certbot certonly)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ken2.smartdb.jp
dns-01 challenge for ken2.smartdb.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ken2.smartdb.jp with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ken2.smartdb.jp with the following value:

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ken2.smartdb.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ken2.smartdb.jp/privkey.pem
   Your cert will expire on 2020-10-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

(certbot renew)

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ken2.smartdb.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ken2.smartdb.jp/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ken2.smartdb.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
(Use the generated certificate on another web server.)
The operating system my web server runs on is (include version):

# uname -a
Linux 96d27eaf7902 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 Linux
# cat /etc/issue 
Welcome to Alpine Linux 3.11
Kernel \r on an \m (\l)

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I don’t know.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

# certbot --version
certbot 1.0.0
1 Like
2

It is probably due to authorization reuse/caching on your Let’s Encrypt account - Let’s Encrypt does not force you to repeat authorizations for the same domains for some period of time (~30d, subject to change). Instead, it skips the authorization bit and proceeds immediately to issuing the certificate.

If you want to make sure that your authorizations are fresh and your hooks are tested properly, use --dry-run. It will also prevent you from blowing your rate limits and wasting Let’s Encrypt’s resources.

2 Likes
3

A post was merged into an existing topic: Too many certificates already issued for exact set of domains

4

I understand that I need to authenticate again for my domain if at least 30 days have passed since I ran the certonly command.
Thank you, _az!

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.