Help - Cannot renew certificate on live site

paul_oop · April 12, 2019, 10:32am

Hi

I’m pretty desperate here, initial install went ok, certificates are live however when it came time to renew it doesn’t work. I’m going to struggle to try solutions as it’s a live server and this makes it harder to try fixes.

My domain is: www.oxfordonlinepharmacy.co.uk

I ran this command:
Cron Job : cd /etc/letsencrypt/ && ./certbot-auto renew && /opt/bitnami/ctlscript.sh restart
When this didn’t work I tried this from the command line: ./certbot-auto renew

It produced this output:
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (oxfordonlinepharmacy.co.uk) from /etc/letsencrypt/renewal/oxfordonlinepharmacy.co.uk.conf produced an unexpected error: The manual plugin is not
working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/oxfordonlinepharmacy.co.uk/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache 2.4.34

The operating system my web server runs on is (include version):
Ubuntu 16.04.5

My hosting provider, if applicable, is:
AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.33.1

JuergenAuer · April 12, 2019, 10:39am

Hi @paul_oop

the command you have used to create the last certificate had the --manual - option.

That can't work with an automated --renew command.

But your certificate is ok ( https://check-your-website.server-daten.de/?q=oxfordonlinepharmacy.co.uk ):

CN=oxfordonlinepharmacy.co.uk
	08.02.2019
	09.05.2019
expires in 27 days	
*.oxfordonlinepharmacy.co.uk, oxfordonlinepharmacy.co.uk - 2 entries

So your website works and you have more then 20 days.

You have a wildcard certificate. So you must use dns-01 validation. Supports your dns provider an API?

If yes, you may use that API. If no, you can't use `--renew'.

paul_oop · April 12, 2019, 11:11am

Hi @JuergenAuer
Thanks for the quick response. This is all fairly new to me, so looking in the conf file I can see the following:

authenticator = manual
account = removed this for this thread, not sure if it’s a good idea to include
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

What do I need to change to allow the automated --renew?

Right now I don’t mind if the renewal is automatic or manual, as long I can renew it. My aim was to have the Cron Job run every week, but if I need to login every couple of months I can live with that.

JuergenAuer · April 12, 2019, 3:47pm

If you use manual, you can't automate that. As written:

paul_oop · April 12, 2019, 6:37pm

@JuergenAuer

I think what I’m asking, probably not to well, is this.

What options do I currently have to renew the certificate, I’ll have to assume that the API option isn’t available. So is there a command line instruction I can use to manually renew the certificate. Or is the solution here to generate a completely new certificate?

As you mentioned I’ve got a few weeks to sort this out, but so I can sleep soundly over the next couple of weeks I’d like to do it as soon as I can.

I’m stuck right now as the initial process seemed to go OK, and I went live with a valid certificate, but now I need to ensure that I can renew/extend the certificate, preferably without any downtime.

I’ve noticed this error has been raised before, but I’ve not been able to work out how the problem was actually resolved.

JuergenAuer · April 12, 2019, 6:47pm

If you use --renew, you create a new certificate too.

So use the same command you have used the first time, that works always. But I don't know what command you have used.

Perhaps

certbot -d *.oxfordonlinepharmacy.co.uk -d oxfordonlinepharmacy.co.uk --manual

That works always, you have to create the two dns TXT entries manual.

But that's interactive, not automated.

paul_oop · April 13, 2019, 8:30am

@JuergenAuer

Many thanks, repeating the original command worked and I’ve now got a new certificate.

What had been confused, (and still does), is that at the end of certbot process, the message is:

To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run “certbot-auto renew”.

When I tried this I received the error message I mentioned earlier.

JuergenAuer · April 13, 2019, 8:36am

That message isn't completely correct.

A new certificate created with --manual can't renewed. There are additional steps (an included script) required.

system · May 13, 2019, 8:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.