How to renew Letsencrypt certificates and implement in google cloud HTTP(S) load balancer

I am running a ubuntu instance in google cloud with google cloud’s HTTP(S) load balancer.
I used the

sudo certbot certonly --manual

command to generate the certificates by following the instructions. After the congratulations message i uploaded the cert.pem, chain.pem, private.pem files in the load balancer and https was implemented. Now that the certificate is about to expire, how do i do the renewal ?
The congratulations message had this " To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew" " .
Is the certbot renew command alone is enough for the renewal ? will i be getting new set of certificates (cert.pem, chain.pem, private.pem) after renewal which i have to again upload in the google cloud load balancer ? Can someone help with step by step instructions ?

Yes, you will have to do this after each renewal. The certificate files will be automatically updated in /etc/letsencrypt/live.

I don't have a step-by-step for you, but if you are using Certbot, you can use a deploy hook to automatically deploy the new certificate to the load balancer:

certbot renew --deploy-hook /path/to/deploy-hook-script

Within the deploy hook script you can use the gcloud command to deploy the certificate to the load balancer:

as well as any further actions required to make the load balancer start using the new certificate.

I tried running - sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/my.subdomain.com.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (my.subdomain.com) from /etc/letsencrypt/renewal/my.subdomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.subdomain.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.subdomain.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

What is the --deploy-hook for and the hook script ?

certbot renew --deploy-hook /path/to/deploy-hook-script

I would like to renew it by the same way i did while implementing https the first time manually by uploading the certs to the HTTP(S) load balancer.

Hi @novicesysadmin,

The use of --manual is incompatible with certbot renew because certbot renew runs only in a non-interactive mode. The error message that you saw when running certbot renew tries to explain this, but perhaps it could be clearer.

The intended way to renew with --manual is simply to repeat the original sudo certbot certonly --manual command. (In order to avoid accidental duplication where the certificates are saved and managed separately, we would also suggest explicitly providing the full list of domains on the command line with -d, but this is not a requirement, just a precaution to avoid accidentally requesting subsequent certificates for slightly different sets of domain names, which can cause some confusion when it occurs.)

Edit: There is also an option to write a shell script that performs whatever tasks need to be done in order to accomplish the “manual” authentication step. In this case, the script can be specified with the --manual-auth-hook option, and, once that’s been provided, it will be possible to use certbot renew for that certificate because the renewal will proceed noninteractively.

(The manual auth hook script is used to perform the steps necessary to obtain the certificate by proving your control over the domain name, while the deploy hook script is used to deploy the certificate after it’s been renewed by copying it to wherever it will be used.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.