Error when trying to renew certificate created from manual mode


#1

Hi community,

I recently created my first Let’s Encrypt signed certificate using manual mode. It works fine !

However, when I try to renew the certificate, it fails. How could I fix it ?

root@debian8:/opt/letsencrypt# ./letsencrypt-auto renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ariyulxpan.net.conf
-------------------------------------------------------------------------------
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/ariyulxpan.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ariyulxpan.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I have the lastest letsencrypt version installed on Linux Debian 8.7 :

root@debian8:/opt/letsencrypt# git pull
Already up-to-date.

root@debian8:/opt/letsencrypt# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 8.7 (jessie)
Release:	8.7
Codename:	jessie

Here is my renewal config file :

root@debian8:/opt/letsencrypt# cat /etc/letsencrypt/renewal/ariyulxpan.net.conf 
# renew_before_expiry = 30 days
version = 0.13.0
archive_dir = /etc/letsencrypt/archive/ariyulxpan.net
cert = /etc/letsencrypt/live/ariyulxpan.net/cert.pem
privkey = /etc/letsencrypt/live/ariyulxpan.net/privkey.pem
chain = /etc/letsencrypt/live/ariyulxpan.net/chain.pem
fullchain = /etc/letsencrypt/live/ariyulxpan.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
installer = None
account = [...]
manual_public_ip_logging_ok = True

Thanks for any help.


#2

The letsencrypt-auto renew command is intended for automated, unattended use, e.g. from a cron job. Obviously this won’t work with manual mode as you need to be there at the terminal to perform the manual steps. Instead you have two options: 1. renew the certificate using letsencrypt-auto certonly --manual instead of letsencrypt-auto renew (you will need to provide the same options as you used originally to obtain the certificate); or 2. get another plugin working besides manual - for example --webroot, and then afterwards letsencrypt-auto renew should work as intended.

(A third option, if you have the necessary programming skills, is to provide scripts to perform the “manual” steps automatically, as suggested by the error message).


#3

Hi,

@jmorahan, Thanks a lot for your help !

I solved my problem by specifying the standalone plugin to the renew command.

root@debian8:/opt/letsencrypt# ./letsencrypt-auto renew --force-renewal --standalone --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ariyulxpan.net.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ariyulxpan.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ariyulxpan.net/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ariyulxpan.net/fullchain.pem (success)

This command automatically edited the renewal config file, so that it won’t be needed to specify the plugin for the next renewal :

root@debian8:/opt/letsencrypt# cat /etc/letsencrypt/renewal/ariyulxpan.net.conf 
# renew_before_expiry = 30 days
version = 0.13.0
archive_dir = /etc/letsencrypt/archive/ariyulxpan.net
cert = /etc/letsencrypt/live/ariyulxpan.net/cert.pem
privkey = /etc/letsencrypt/live/ariyulxpan.net/privkey.pem
chain = /etc/letsencrypt/live/ariyulxpan.net/chain.pem
fullchain = /etc/letsencrypt/live/ariyulxpan.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = [...]
manual_public_ip_logging_ok = True
pref_challs = http-01,

However, I am surprised by one thing ; during the renewal, the output indicated :

Performing the following challenges: http-01 challenge for ariyulxpan.net Waiting for verification...

But during the renewal, although I saw my TCP/80 port opened by python (because of standalone plugin), I did not have any established session, so I did not receive any HTTP request.

Is there really a new domain validation made during the renewal ?

root@debian8:~# while [ 1 ] ; do netstat -tapen | grep ':80' ; sleep 1 ; done
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          208175      29065/python2.7 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          208175      29065/python2.7 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          208175      29065/python2.7 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          208175      29065/python2.7 

Thanks for any help,


#4

Successful validations are associated with your account ID and remembered for a certain amount of time - I think it’s currently 30 days. So you might not necessarily see an actual incoming http request every time.


#5

Ok, thanks @jmorahan :wink:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.