Fail on: certbot-auto renew

ricky.wang · April 23, 2019, 10:18am

I ran this command: certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/chinafutea.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (chinafutea.com) from /etc/letsencrypt/renewal/chinafutea.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

Processing /etc/letsencrypt/renewal/trueniu.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (trueniu.com) from /etc/letsencrypt/renewal/trueniu.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chinafutea.com/fullchain.pem (failure)
/etc/letsencrypt/live/trueniu.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chinafutea.com/fullchain.pem (failure)
/etc/letsencrypt/live/trueniu.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx version: nginx/1.9.9

The operating system my web server runs on is (include version): CentOS release 6.5 (Final)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.1

trueniu.com.conf:

renew_before_expiry = 30 days

version = 0.30.0
archive_dir = /etc/letsencrypt/archive/trueniu.com
cert = /etc/letsencrypt/live/trueniu.com/cert.pem
privkey = /etc/letsencrypt/live/trueniu.com/privkey.pem
chain = /etc/letsencrypt/live/trueniu.com/chain.pem
fullchain = /etc/letsencrypt/live/trueniu.com/fullchain.pem

Options used in the renewal process

[renewalparams]
manual_public_ip_logging_ok = True
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
account = XXXXXXXXXXXXXXXXXXdd7fa0a1b

JuergenAuer · April 23, 2019, 10:38am

Hi @ricky.wang

if you want to use the renew command, you can't use this setup:

manual in combination with dns-01 means: You have to create the dns entry manual.

So use

certbot -d chinafutea.com -d www.chinafutea.com --preferred-challenges dns

But checking your domain there is only one old Letsencrypt certificate ( https://check-your-website.server-daten.de/?q=chinafutea.com ):

CRT-Id	Issuer	not before	not after	Domain names
1036821997	CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US	2018-11-28 23:00:00	2019-11-29 11:00:00	chinafutea.com, www.chinafutea.com
2 entries
983557236	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	2018-11-28 09:33:07	2019-02-26 09:33:07	chinafutea.com
1 entries

You don't use that certificate, it's expired.

So do you really need dns-01 validation? Doesn't http-01 validation works?

Your port 80 is open and answers correct.

Domainname	Http-Status	Sec.	G
• http://www.chinafutea.com/
54.84.18.95	200	0.943	H

• http://www.chinafutea.com/
54.88.167.222	200	0.930	H

• https://www.chinafutea.com/
54.84.18.95	200	3.296	I

• https://www.chinafutea.com/
54.88.167.222	200	1.704	I

• http://www.chinafutea.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.84.18.95	404	0.790	A
Not Found

But your non-www version doesn't have a dns entry.

So:

Add a dns A entry chinafutea.com
Try certbot -d www.chinafutea.com -d chinafutea.com --nginx

That should work, then Certbot should update your config file.

ricky.wang · April 23, 2019, 12:04pm

how to Add a dns A entry chinafutea.com?

JuergenAuer · April 23, 2019, 1:34pm

You use these nameservers:

Domain	Nameserver	NS-IP
www.chinafutea.com
	•  ns-1512.awsdns-61.org / ec9c2a7bd8f0abbddd6a8af43f652951 -
		•
chinafutea.com
	•  ns-1512.awsdns-61.org / ec9c2a7bd8f0abbddd6a8af43f652951 -
	205.251.197.232	•

Looks like Amazon. There you can create an additional A (ipv4) entry.

Use the same values your www-version uses:

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
chinafutea.com	A		yes	1	0
	AAAA		yes
www.chinafutea.com	A	54.84.18.95	yes	1	0
	A	54.88.167.222	yes	1	0
	AAAA		yes

system · May 23, 2019, 1:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.