Error renewing certificate

jtbmedia · October 3, 2022, 1:35pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shop.ticketservice.shop

I ran this command:
certbot renew

It produced this output:


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may                                                                                         be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --man                                                                                        ual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (ticketservice.shop-0002) from /etc/letsencrypt/renewal                                                                                        /ticketservice.shop-0002.conf produced an unexpected error: The manual plugin is                                                                                         not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --man                                                                                        ual-auth-hook when using the manual plugin non-interactively.'). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may                                                                                         be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --man                                                                                        ual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (ticketservice.shop) from /etc/letsencrypt/renewal/tick                                                                                        etservice.shop.conf produced an unexpected error: The manual plugin is not worki                                                                                        ng; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --man                                                                                        ual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop-0002/fullchain.pem (failure)
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ticketservice.shop-0001/fullchain.pem expires on 2022-12                                                                                        -05 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop-0002/fullchain.pem (failure)
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

My web server is (include version):

NGINX

The operating system my web server runs on is (include version):

UBUNTU 20

My hosting provider, if applicable, is:

Digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

rg305 · October 3, 2022, 4:01pm

That's a red flag for me - something has gone wrong (more than once).

Please show the output of:
certbot certificates

jtbmedia · October 3, 2022, 7:38pm


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ticketservice.shop-0001
    Domains: ticketservice.shop
    Expiry Date: 2022-12-05 09:46:41+00:00 (VALID: 62 days)
    Certificate Path: /etc/letsencrypt/live/ticketservice.shop-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ticketservice.shop-0001/privkey.pem
  Certificate Name: ticketservice.shop-0002
    Domains: *.ticketservice.shop
    Expiry Date: 2022-10-02 05:59:33+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ticketservice.shop-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ticketservice.shop-0002/privkey.pem
  Certificate Name: ticketservice.shop
    Domains: *.ticketservice.shop
    Expiry Date: 2022-10-02 05:59:33+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ticketservice.shop/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ticketservice.shop/privkey.pem

Osiris · October 3, 2022, 7:48pm

Besides the duplicate certificates please read the documentation about the manual plugin here: User Guide — Certbot 1.30.0 documentation Especially the part about renewing.

jtbmedia · October 3, 2022, 8:07pm

I can see that the 0001 certificate is valid, but i think it's loading the 0002. How can i change that?

rg305 · October 3, 2022, 8:12pm

Check within your nginx config.
grep -Ri ticketservice /etc/nginx

9peppe · October 3, 2022, 8:19pm

If you want to use the manual plugin, you have to run the same commands you did when you got the certificate the first time, as certbot renew is meaningless when using the manual plugin.

I would advise using another plugin: apache, nginx, webroot, standalone, and several for many DNS providers.

jtbmedia · October 4, 2022, 6:56am

I figured it out with the command of @rg305.
Changed the location off the certificate to the one with 0001 behind it (because it was still valid)
Updated the certificate with the wildcard domain *.ticketservice.shop using the following command

sudo certbot certonly --manual --preferred-challenges=dns --email jeroen@jtb-media.nl --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d ticketservice.shop -d *.ticketservice.shop -

system · November 3, 2022, 6:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error renewing SSL Help	59	5630	January 31, 2021
Unable to renew my certificate and getting this Plugin error. I tried creating new certificate 2 days ago and i think it messed up my configuration Help	8	2477	May 31, 2019
Unable to manually renew certs Help	9	4622	May 16, 2019
Noob struggling with renewing Help	13	779	November 17, 2020
Certificate renewal Issue Help	11	1272	January 4, 2021

Error renewing certificate

Related topics