Dry run certificate renewal

successfully got a certificate using this command:
sudo certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly
using apache and successful website browsing using https

how do i renew it?
i tried to a cert renewal dry run
i tried sudo certbot renew --dry-run but failed

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (xx.DOMAIN…xx) from /etc/letsencrypt/renewal/xx.DOMAIN…xx.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.DOMAIN…xx/fullchain.pem (failure)

thanks…

Since you used --manual the default renewal method will also be "manual".
And since your cert challenge was via DNS, you will need follow the onscreen prompts or provide a --manual-auth-hook that can use a DNS plugin to update your DNS zone.

To expand on that, when you use --manual the certbot renew method doesn’t work because it only supports unattended, noninteractive renewal. To interactively renew a certificate that was obtained with certonly --manual, you should rerun the original certonly command.

thanks schoen…

could i do i dry-run for this command?
sudo certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly

even though the certificates are not yet expiring?

Sort of. Not as easily. You can’t use certbot renew to do it, but you can run something similar.

You could run the command to create a certificate with “--duplicate” and “--staging” added. This would create a fake staging certificate, but save it like a real certificate. (It would be renewed two months from now and everything.)

sudo certbot certonly --duplicate --manual --preferred-challenges dns --staging -d site.your.dom.ain

It would probably be saved with the name site.your.dom.ain-0001, and you could then delete it with:

sudo certbot delete --cert-name site.your.dom.ain-0001

Don’t go deleting random certiifcates without checking the name, though – it’s shown in the file paths when creating the certificate, or by running:

sudo certbot certificates

I think you can, just by adding --dry-run, somewhat contrary to what @mnordhoff suggested.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.