How to check correct renewall will occure

Hi,

I created on 21 nov 2020 seperated certificates for several subdomains with a command like:

certbot -i apache -a manual --preferred-challenges dns --no-redirect -d $i

foreach subdomain where $i is the subdomain name like demo1.ligamen.org

Now launching

certbot -i apache -a manual --preferred-challenges dns --no-redirect renew

throws same error error for each subdomain:

Attempting to renew cert (demo1.ligamen.org) from /etc/letsencrypt/renewal/demo1.ligamen.org.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin

The renewall confs are like :

# cat /etc/letsencrypt/renewal/demo1.ligamen.org.conf 
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/demo1.ligamen.org
cert = /etc/letsencrypt/live/demo1.ligamen.org/cert.pem
privkey = /etc/letsencrypt/live/demo1.ligamen.org/privkey.pem
chain = /etc/letsencrypt/live/demo1.ligamen.org/chain.pem
fullchain = /etc/letsencrypt/live/demo1.ligamen.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 536d88674a900c72784efd2472a197e1
pref_challs = dns-01,
authenticator = manual
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Hi @kmc

if you use manual, you have to do that manual. So a simple "renew" can't work.

So your error is expected.

Tried with certonly:
certbot -i apache -a manual --preferred-challenges dns --no-redirect --dry-run -d demo1.ligamen.org certonly

But now it asks "Are you OK with your IP being logged?"

How can I use that in an automatic script or what is the proper way to renew these certificates ?

Hi @kmc,

Why do you want to use -a manual, which requires human interaction, instead of something like -a apache, which doesn't? Is there a particular reason that you need the DNS-01 challenge in your environment?

I don't remember why I used manual option. I just need separate certificates renewed automaticaly

Now I needed a solution so I removed all certificates and recreated them with "certbot certonly --standalone -d "
Renewal parameters look like that:

cat /etc/letsencrypt/renewal/demo1.ligamen.org.conf 
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/demo1.ligamen.org
cert = /etc/letsencrypt/live/demo1.ligamen.org/cert.pem
privkey = /etc/letsencrypt/live/demo1.ligamen.org/privkey.pem
chain = /etc/letsencrypt/live/demo1.ligamen.org/chain.pem
fullchain = /etc/letsencrypt/live/demo1.ligamen.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 536d88674a900c72784efd2472a197e1
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

Does "certbot renew" returns a status code to verify that renewall executed correctly with something like $result = certbot renew ?

It is not possible to automate a manually required DNS change:

Then you may need to change the challenge type to HTTP.
I see you are now using:

which will spin-up a temporary web server to answer the HTTP challenge requests.
Did that work?
[it requires use of TCP port 80]

Not too sure about the errors returned by certbot 0.31.0, but adding -vv [or -vvv for even more] will increase the amount of output shown in the log file.

Yes, except (as I recall) "no renewals attempted" and "all renewals succeeded" both indicate success.

If you're using Apache the best method is normally

sudo certbot --apache -d

which will both obtain and install the certificates for you (here --apache is equivalent to -a apache -i apache). As @rg305 pointed out, --standalone is a little peculiar because it needs to be able to use port 80, which typically Apache would already be using.

Yes, except (as I recall) "no renewals attempted" and "all renewals succeeded"
So certbot returns a string, not a boolean ?

Yes but that method did not work cause I removed all certificates and apache could not be restarted anymore cause references to the certificates where still pointing to the removed ones throwing syntax error in the config test

In that case you'll have to fix that by removing those references, or else putting dummy certs (like a "snake oil" cert) temporarily in the paths where they were before.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.