Choose N when I was asked to agree with your IP being logged

sudo certbot certonly --cert-name weeby.store --manual --preferred-challenges dns -d "weeby.store,*.weeby.store"
Saving debug log to /var/log/letsencrypt/letsencrypt.log


You are updating certificate weeby.store to include new domain(s):

  • weeby.store

You are also removing previously included domain(s):
(None)

Did you intend to make this change?


(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for weeby.store and *.weeby.store

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/weeby.store/fullchain.pem
Key is saved at: /etc/letsencrypt/live/weeby.store/privkey.pem
This certificate expires on 2021-10-04.
These files will be updated when the certificate renews.

NEXT STEPS:

  • This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

If you like Certbot, please consider supporting our work by:


2 Likes

You didn't need to deploy the two TXT records because your ACME account already had cached valid authorizations for both weeby.store and *.weeby.store from the other certificates you've had issued in the last 30 days.

You can see your new certificate here:

https://crt.sh/?id=4821380707

2 Likes

What's the output of:

sudo certbot certificates

2 Likes

Excellent @griffin

still, when visiting any new subdomain , get the warning message (this connection is not private)

2 Likes

You need to reload apache:

sudo apachectl -k graceful

3 Likes

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: weeby.store-0001
Serial Number: 3e94a8aab6f841ad1b9b873ece4a47bb295
Key Type: RSA
Domains: weeby.store
Expiry Date: 2021-10-04 16:20:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/weeby.store-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/weeby.store-0001/privkey.pem
Certificate Name: weeby.store
Serial Number: 48ebc723aaf48b150c45540725117087bbc
Key Type: RSA
Domains: weeby.store *.weeby.store
Expiry Date: 2021-10-04 17:14:02+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/weeby.store/fullchain.pem
Private Key Path: /etc/letsencrypt/live/weeby.store/privkey.pem

the one named weeby.store is the last obtained one (from your help)

the one included in my apache are:

SSLCertificateFile /etc/letsencrypt/live/weeby.store-0001/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/weeby.store-0001/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

should replace them ?

2 Likes

Yes, remove the -0001 in your apache ssl directives in all of your configuration files.

Then run these:

sudo apachectl -k graceful

sudo certbot delete --cert-name weeby.store-0001
3 Likes

should I revoke this one to just delete it ?

2 Likes

Don't ever revoke a certificate unless its private key has been or would be compromised! Just using the delete command I gave is fine.

2 Likes

@griffin

you have totally fixed and solved my issue !!! I don't know how to thank you

but thank you so much for your time and support :slightly_smiling_face: God bless you

thank you @griffin @rg305

4 Likes

You are quite welcome! :blush:

Good luck and Godspeed with your endeavor! :pray:

4 Likes

It might already be clear to you, but this warning refers to a transparency feature in Let's Encrypt that was never actually implemented, so it was belatedly removed in later Certbot versions.

The idea is that Let's Encrypt briefly considered publishing its log files related to certificate requests, which include the IP address from which the certificate was requested. Some fraction of early --manual users were running Certbot on their own personal computers rather than on their dedicated web servers, and this warning related to a concern that people might be surprised when their personal computers' IP addresses turned up in the certificate request log files.

As it turned out, Let's Encrypt ended up choosing not to publicly post its certificate request and challenge validation logs. (Issued certificates, but not the IP addresses from which they were requested, are all published in Certificate Transparency.) Also, most people using --manual today are using it for wildcard certificates—like yours—and typically running on their dedicated web servers rather than home PCs. So this warning message was never really helpful or relevant in practice.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Hello @griffin

Thank you for reopening the topic

I have tried to renew the certificate , and it gives the following error:

sudo certbot renew -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/weeby.store.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Failed to renew certificate weeby.store with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/weeby.store/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
2 Likes

You cannot use the renew command with the manual authenticator unless you specify --manual-auth-hook and --manual-cleanup-hook parameters:

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

You can renew manually though:

sudo certbot certonly --cert-name weeby.store --manual --preferred-challenges dns -d "weeby.store,*.weeby.store" --deploy-hook "apachectl -k graceful"

3 Likes

thank you @griffin

it has been renewed , for automatic renewal , I can see it requires the use of authentication hook script

as it says

NEXT STEPS:

- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

for this , where I can get the script from?

3 Likes

Usually it's much easier to use a DNS plugin that matches your DNS provider rather than hooks with the manual authenticator:

https://certbot.eff.org/docs/using.html#dns-plugins

3 Likes

It's highly unlikely that an off-the-shelf script exists that exactly does what you did manually. It really depends on your situation.

4 Likes