How do I certbot renew SSL on MacOS localhost?

I'm trying to renew a LetsEncrypt SSL certificate that we use for local development only. I had originally set it up using instructions given to me by other developers but they are no longer available to assist with renewal procedures. I've run sudo certbot renew but got the output detailed below. I'm not sure what else to try at this point. Any help is appreciated.

My domain is:
local.zill.as

I ran this command:
sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/local.zill.as.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Failed to renew certificate local.zill.as with error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/local.zill.as/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
MAMP Pro 5.7 (18029)

The operating system my web server runs on is (include version):
MacOS Big Sur Version 11.6 (Apple M1 chip)

My hosting provider, if applicable, is:
localhost (this domain is for local development only)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes (zsh sudo)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
MAMP Pro

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.19.0

The certbot renew subcommand assumes certbot is running non-interactive. I.e., if it requires a user interaction, it will refuse to work.

As you've used the --manual plugin to get your certificate the first time and you didn't use --manual-auth-hook to supply a non-interactive script to actually do the challenge, this is incompatible with the certbot renew subcommand.

To "renew" in your case, you should run the same command you've used the first time. Or automate the DNS challenge, although that could be difficult to do if your DNS provider doesn't have an easy to automate API.

3 Likes

Great, thanks! I simply repeated the steps that I used to create the cert, this time with a different TXT record value, and it worked.

2 Likes

Yes, all the challenge tokens, such as the TXT record value, are one-time use only.

2 Likes

Are you unable to use HTTP authentication?
[which is much simpler to automate]

1 Like

It's for local development and doesn't have an A nor AAAA record associated with the hostname. So my guess was no, so I didn't ask :stuck_out_tongue:

2 Likes

Ok that splainzit.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.