Fail on: certbot-auto renew

My domain is: www.trueniu.com

I ran this command: certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/chinafutea.com.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (chinafutea.com) from /etc/letsencrypt/renewal/chinafutea.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.


Processing /etc/letsencrypt/renewal/trueniu.com.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (trueniu.com) from /etc/letsencrypt/renewal/trueniu.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chinafutea.com/fullchain.pem (failure)
/etc/letsencrypt/live/trueniu.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chinafutea.com/fullchain.pem (failure)
/etc/letsencrypt/live/trueniu.com/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx version: nginx/1.9.9

The operating system my web server runs on is (include version): CentOS release 6.5 (Final)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.1

trueniu.com.conf:

renew_before_expiry = 30 days

version = 0.30.0
archive_dir = /etc/letsencrypt/archive/trueniu.com
cert = /etc/letsencrypt/live/trueniu.com/cert.pem
privkey = /etc/letsencrypt/live/trueniu.com/privkey.pem
chain = /etc/letsencrypt/live/trueniu.com/chain.pem
fullchain = /etc/letsencrypt/live/trueniu.com/fullchain.pem

Options used in the renewal process

[renewalparams]
manual_public_ip_logging_ok = True
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual
account = XXXXXXXXXXXXXXXXXXdd7fa0a1b

Hi @ricky.wang

if you want to use the renew command, you can’t use this setup:

manual in combination with dns-01 means: You have to create the dns entry manual.

So use

certbot -d chinafutea.com -d www.chinafutea.com --preferred-challenges dns

But checking your domain there is only one old Letsencrypt certificate ( https://check-your-website.server-daten.de/?q=chinafutea.com ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1036821997 CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US 2018-11-28 23:00:00 2019-11-29 11:00:00 chinafutea.com, www.chinafutea.com
2 entries
983557236 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-11-28 09:33:07 2019-02-26 09:33:07 chinafutea.com
1 entries

You don’t use that certificate, it’s expired.

So do you really need dns-01 validation? Doesn’t http-01 validation works?

Your port 80 is open and answers correct.

Domainname Http-Status redirect Sec. G
http://www.chinafutea.com/
54.84.18.95 200 0.943 H
http://www.chinafutea.com/
54.88.167.222 200 0.930 H
https://www.chinafutea.com/
54.84.18.95 200 3.296 I
https://www.chinafutea.com/
54.88.167.222 200 1.704 I
http://www.chinafutea.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.84.18.95 404 0.790 A
Not Found

But your non-www version doesn’t have a dns entry.

So:

  • Add a dns A entry chinafutea.com
  • Try certbot -d www.chinafutea.com -d chinafutea.com --nginx

That should work, then Certbot should update your config file.

how to Add a dns A entry chinafutea.com?

You use these nameservers:

Domain	Nameserver	NS-IP
www.chinafutea.com
	•  ns-1512.awsdns-61.org / ec9c2a7bd8f0abbddd6a8af43f652951 -
		•
chinafutea.com
	•  ns-1512.awsdns-61.org / ec9c2a7bd8f0abbddd6a8af43f652951 -
	205.251.197.232	•

Looks like Amazon. There you can create an additional A (ipv4) entry.

Use the same values your www-version uses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
chinafutea.com A yes 1 0
AAAA yes
www.chinafutea.com A 54.84.18.95 yes 1 0
A 54.88.167.222 yes 1 0
AAAA yes
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.