How to setup automatic renewal for wildcard certificate using certbot


#1

My domain is: *.shyamjos.com

I ran this command ./certbot-auto certonly --manual -d *.example.com -d example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory to setup lets encrypt wildcard cert.

Now, How can I automate the renewal process?

My web server is nginx and i am using route53 for dns management

when I am running ./certbot-auto --dry-run renew I am getting below error.

./certbot-auto --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/shyamjos.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (shyamjos.com) from /etc/letsencrypt/renewal/shyamjos.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/shyamjos.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/shyamjos.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)


#2

You used the manual method, this cannot be automated.


#3

…unless you do what the screen tells you–provide an authentication script using the --manual-auth-hook flag, which will be able to deploy the DNS challenges (and clean them up).


#4

Note that Certbot now has Route53 support

https://certbot-dns-route53.readthedocs.io/en/latest/

but depending on how you install Certbot, it might be difficult to install the Route53 plugin. (In particular, certbot-auto still doesn’t install it automatically and you may have to use pip commands or something to get the plugin.)

This is an alternative to the original --manual-auth-hook approach.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.