Followed the info but got an error

Help
#1

I followed this: How to automatically renew certificates?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
platinum.edu.pl

I ran this command:
certbot -q renew

It produced this output:
Attempting to renew cert (platinum.edu.pl) from /etc/letsencrypt/renewal/platinum.edu.pl.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/platinum.edu.pl/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Slackware current.

My hosting provider, if applicable, is:
Me.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.9.0

1 Like
#2

Hi @platyna

please read your error message.

If you have created your first certificate with --manual, you can't simply use renew to create a new certificate. renew is non-interactive, so there is no manual action possible.

Use the complete command again, may be add --cert-name to overwrite the existing certificate.

1 Like
#3

My certificate expired. So I need to renew it, and it fails. I don't care if it is interactive or not, I just want it to renew and it doesn't work.

1 Like
#4

Welcome back! :slightly_smiling_face:

Use this to renew:

certbot certonly --cert-name platinum.edu.pl --manual --preferred-challenges dns -d "platinum.edu.pl,*.platinum.edu.pl"

2 Likes
#5

Thank, but this tells me to re-authorize in my DNS and I want the renew to be autmatic, I just want to put it in my crontab and forget about it.

1 Like
#6

You cannot do that with manual authentication. Since you are using a wildcard certificate, you need to use a dns-01 challenge (like you have been). One of the easiest ways to automate this is to use acme-dns.

2 Likes
#7

You can't if you use --manual and if your dns provider doesn't support an API.

2 Likes
#8

I am my DNS provider and I use named.

#9

Do you have API access to your DNS zone then to add the TXT records using a script?

2 Likes
#10

API access? I just use a text editor to edit my zones.

#11

You can probably use a script with --manual-auth-hook to create the TXT records and a script with --manual-cleanup-hook to delete the TXT records. Be sure to reload your webserver with a script using --deploy-hook after getting a new certificate.

This is all assuming that the server on which you are running certbot has access to the DNS zone file.

Or you can use acme-dns as I indicated before.

2 Likes
#12

A decision to have a program running on root's cron and messing with my SSL files was a painful sacrifice, having a script querying external sites and messing up with my DNS server is way too much for me. Is there any way to delete my Let's Encrypt account and user data?

#13

You don't need to give access to your DNS server if you use acme-dns. You just create a CNAME record for _acme-challenge.platinum.edu.pl to delegate the challenge to acme-dns server that offers a simple API to update TXT records on its server. Simple, easy, and secure.

2 Likes
#14

So, I have to run two DNS servers on the same machine?

#15

Not necessarily. The instructions for acme-dns do state that it's better to run your own copy though.

Is the DNS on the same server on which you're running certbot?

Keep in mind that you write (and thus fully-control) the hook scripts I mentioned earlier. It's not like you're giving hidden code access to your DNS.

2 Likes
#16

Yes. Certbot runs on our main server, which is DNS/HTTPd one. The project is run in the 1990s style of administration - we don't have any panels, and we uphold KISS values.

1 Like
#17

I greatly respect that. :smiley:

I'd given it a like, but I'm out of likes right now. :heart:

3 Likes
#18

You have the ideal setup to use the hook scripts I mentioned. They will fully automate your renewals.

2 Likes
#19

Thanks, but giving me link to the list of command line options for certbot (which is not even a version I am using) is not really helpful.

1 Like
#20

I thought this part would be:

manual:
Authenticate through manual configuration or custom shell scripts. When using shell scripts, an authenticator script must be provided. The environment variables available to this script depend on the type of challenge. $CERTBOT_DOMAIN will always contain the domain being authenticated. For HTTP-01 and DNS-01, $CERTBOT_VALIDATION is the validation string, and $CERTBOT_TOKEN is the filename of the resource requested when performing an HTTP-01 challenge. An additional cleanup script can also be provided and can use the additional variable $CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth script. For both authenticator and cleanup script, on HTTP-01 and DNS-01 challenges, $CERTBOT_REMAINING_CHALLENGES will be equal to the number of challenges that remain after the current one, and $CERTBOT_ALL_DOMAINS contains a comma-separated list of all domains that are challenged for the current certificate.

--manual-auth-hook MANUAL_AUTH_HOOK Path or command to execute for the authentication script (default: None)

--manual-cleanup-hook MANUAL_CLEANUP_HOOK Path or command to execute for the cleanup script (default: None)

2 Likes