Difficulty in renewing letsencrypt certificate

dherve2020 · May 23, 2020, 2:14pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bestcash.me

I ran this command: certbot renew
also certbot renew --cert-name bestcash.me --apache
It produced this output:
Processing /etc/letsencrypt/renewal/chronocash.me.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bestcash.me/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/chronocash.me/fullchain.pem expires on 2020-08-20 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bestcash.me/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0-1

Osiris · May 23, 2020, 2:18pm

I’m pretty sure the output of certbot contains more information than that. Or look in letsencrypt.log if that’s not the case and post it here. Without the actual error message from the Let’s Encrypt validation server, it’s just a matter of guessing.

Also: is the --apache option really required? If you previously got the certificate in the first place with the apache plugin, it isn’t necessary to add it again to the command line.

dherve2020 · May 25, 2020, 8:50am

2020-05-24 15:00:30,074:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoin
t#manual): An authentication script must be provided with --manual-auth-hook whe
n using the manual plugin non-interactively.
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/plugins/disco.py”, line 132, in p
repare
self.initialized.prepare()
File “/usr/lib/python3/dist-packages/certbot/plugins/manual.py”, line 133, in
prepare
self.option_name(‘auth-hook’)))
certbot.errors.PluginError: An authentication script must be provided with --man
ual-auth-hook when using the manual plugin non-interactively.
2020-05-24 15:00:30,075:DEBUG:certbot.plugins.selection:No candidate plugin
2020-05-24 15:00:30,075:DEBUG:certbot.plugins.selection:Selected authenticator N
one and installer None
2020-05-24 15:00:30,075:INFO:certbot.main:Could not choose appropriate plugin: T
he manual plugin is not working; there may be problems with your existing config
uration.
The error was: PluginError(‘An authentication script must be provided with --man
ual-auth-hook when using the manual plugin non-interactively.’)
2020-05-24 15:00:30,075:WARNING:certbot.renewal:Attempting to renew cert (bestca
sh.me) from /etc/letsencrypt/renewal/bestcash.me.conf produced an unexpected err
or: The manual plugin is not working; there may be problems with your existing c
onfiguration.
The error was: PluginError(‘An authentication script must be provided with --man
ual-auth-hook when using the manual plugin non-interactively.’). Skipping.
2020-05-24 15:00:30,076:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 452, in handle
renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1187, in renew_cer
t
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, “cer
tonly”)
File “/usr/lib/python3/dist-packages/certbot/plugins/selection.py”, line 237,
in choose_configurator_plugins
diagnose_configurator_problem(“authenticator”, req_auth, plugins)
File “/usr/lib/python3/dist-packages/certbot/plugins/selection.py”, line 341,
in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The manual plugin is not working; there may
be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --man
ual-auth-hook when using the manual plugin non-interactively.’)

2020-05-24 15:00:30,077:INFO:certbot.storage:Attempting to parse the version 0.3
6.0 renewal configuration file found at /etc/letsencrypt/renewal/chronocash.me.c
onf with version 0.31.0 of Certbot. This might not work.
2020-05-24 15:00:30,079:INFO:certbot.renewal:Cert not yet due for renewal
2020-05-24 15:00:30,079:DEBUG:certbot.plugins.selection:Requested authenticator
dns-ovh and installer None
2020-05-24 15:00:30,079:ERROR:certbot.renewal:All renewal attempts failed. The f
ollowing certs could not be renewed:
2020-05-24 15:00:30,079:ERROR:certbot.renewal: /etc/letsencrypt/live/bestcash.m
e/fullchain.pem (failure)
2020-05-24 15:00:30,080:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1272, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_
renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

9peppe · May 25, 2020, 9:15am

Please tell us what did you do to get the certificate the first time.

Also show us this file:

/etc/letsencrypt/renewal/bestcash.me.conf

It looks like you used the manual plugin, and that doesn’t support automatic renewals.

You should probably get a new certificate using another plugin.

dherve2020 · May 25, 2020, 8:15pm

renew_before_expiry = 30 days

version = 0.36.0
archive_dir = /etc/letsencrypt/archive/bestcash.me
cert = /etc/letsencrypt/live/bestcash.me/cert.pem
privkey = /etc/letsencrypt/live/bestcash.me/privkey.pem
chain = /etc/letsencrypt/live/bestcash.me/chain.pem
fullchain = /etc/letsencrypt/live/bestcash.me/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account = d0f3d0da79f5afca8fcd8843bfaccabb
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

9peppe · May 26, 2020, 8:28am

eh, this doesn't work with certbot renew.

you have ~~two~~ three options:

use certbot renew --debug-challenges and set up the appropriate challenge
re run the command you used the first time
get a new certificate using another authentication plugin (using whatever challenge you need/want). I'd go for this one, as the first two will put you in the same situation every three months, this should get you automatic renewals.

dherve2020 · May 26, 2020, 12:41pm

thank you for your promptness to answer me but can you help me on the last option that you proposed?

9peppe · May 26, 2020, 1:11pm

there are too many options for me to tell you what to do.

choose one authenticator plugin (an appropriate one) and then read how it works.

system · June 25, 2020, 1:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.