Failed Certbot SSL auto-renewal using systemd certbot.service on AWS bitnami Wordpress instance

BrickStreet · August 26, 2019, 10:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: homeperfectexteriors.com

I ran this command: trying to run certbot.service (which reads as follows):
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true

It produced this output:
Aug 26 15:10:56 ip-172-26-8-142 systemd[1]: Starting Certbot…
Aug 26 15:18:04 ip-172-26-8-142 certbot[18505]: Attempting to renew cert (homeperfectexteriors.com) from /etc/letsencrypt/renewal/homeperfectexteriors.com.conf produced an unexpected error: The manual plugin is not work
Aug 26 15:18:04 ip-172-26-8-142 certbot[18505]: The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
Aug 26 15:18:04 ip-172-26-8-142 certbot[18505]: All renewal attempts failed. The following certs could not be renewed:
Aug 26 15:18:04 ip-172-26-8-142 certbot[18505]: /etc/letsencrypt/live/homeperfectexteriors.com/fullchain.pem (failure)
Aug 26 15:18:04 ip-172-26-8-142 certbot[18505]: 1 renew failure(s), 0 parse failure(s)
Aug 26 15:18:04 ip-172-26-8-142 systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Aug 26 15:18:04 ip-172-26-8-142 systemd[1]: Failed to start Certbot.
Aug 26 15:18:04 ip-172-26-8-142 systemd[1]: certbot.service: Unit entered failed state.
Aug 26 15:18:04 ip-172-26-8-142 systemd[1]: certbot.service: Failed with result ‘exit-code’.

Hoping someone can point me in the right direction to get this process running correctly so I don’t have to keep manually renewing the SSL cert on this site!

My web server is (include version): Amazon Lightsail VPS

The operating system my web server runs on is (include version): Linux, I believe? not sure…

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

schoen · August 27, 2019, 2:32am

Hi @BrickStreet,

If you used --manual to obtain the certificate, you do have to keep manually renewing it. Do you remember why you chose to use this method instead of --apache or --nginx? Do you have a wildcard certificate?

BrickStreet · August 27, 2019, 4:57pm

I have a wildcard certificate because I followed the AWS instructions here:
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress

so i did use --manual:
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly"

I don't actually really need a wildcard certificate though... as there are no subdomains for this domain.

AWS makes me craazy..... I can't seem to find any of the details about the server environment anywhere to know if it is running apache or nginx...

schoen · August 27, 2019, 9:39pm

Interesting! The DNS challenge (normally performed via --manual in Certbot) is required for wildcards by Let’s Encrypt policy, but certificates issued with --manual can’t be renewed automatically unless you tell Certbot how to use a DNS provider API to make the necessary changes to your DNS zone.

If you change over to --nginx or --apache, it’s likely that the automatic renewals will work because these methods only require making small temporary configuration changes to your own web server, not to another machine.

One option for seeing what web server application you use might be to run a command like

curl -v localhost -o /dev/null

at your server’s command prompt.

BrickStreet · August 28, 2019, 6:30pm

Ok I was able to use your command to see that the server is Apache.

I tried the following, and got errors that the required apache plugin is not installed:
bitnami@ip-172-26-8-142:~ DOMAIN=homeperfectexteriors.com bitnami@ip-172-26-8-142:~ sudo certbot -d DOMAIN --apache --preferred-challenges dns certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Could not choose appropriate plugin: The requested apache plugin does not appear to be installed The requested apache plugin does not appear to be installed bitnami@ip-172-26-8-142:~ sudo certbot -d $DOMAIN --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

Not sure where to go from here…

system · September 27, 2019, 6:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.