Dry run certificate renewal


#1

successfully got a certificate using this command:
sudo certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly
using apache and successful website browsing using https

how do i renew it?
i tried to a cert renewal dry run
i tried sudo certbot renew --dry-run but failed

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (xx.DOMAIN…xx) from /etc/letsencrypt/renewal/xx.DOMAIN…xx.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.DOMAIN…xx/fullchain.pem (failure)

thanks…


#2

Since you used --manual the default renewal method will also be “manual”.
And since your cert challenge was via DNS, you will need follow the onscreen prompts or provide a --manual-auth-hook that can use a DNS plugin to update your DNS zone.


#3

To expand on that, when you use --manual the certbot renew method doesn’t work because it only supports unattended, noninteractive renewal. To interactively renew a certificate that was obtained with certonly --manual, you should rerun the original certonly command.


#4

thanks schoen…

could i do i dry-run for this command?
sudo certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly

even though the certificates are not yet expiring?


#5

Sort of. Not as easily. You can’t use certbot renew to do it, but you can run something similar.

You could run the command to create a certificate with “--duplicate” and “--staging” added. This would create a fake staging certificate, but save it like a real certificate. (It would be renewed two months from now and everything.)

sudo certbot certonly --duplicate --manual --preferred-challenges dns --staging -d site.your.dom.ain

It would probably be saved with the name site.your.dom.ain-0001, and you could then delete it with:

sudo certbot delete --cert-name site.your.dom.ain-0001

Don’t go deleting random certiifcates without checking the name, though – it’s shown in the file paths when creating the certificate, or by running:

sudo certbot certificates


#6

I think you can, just by adding --dry-run, somewhat contrary to what @mnordhoff suggested.