I can't renew cert

Hi, I have 2 issues:
1- some people tellme that they has a certificate error to enter to my website:

(I could enter ok)
2- So I want to regenerate certificate to try if it fix the problem.
When I execute certbot renew I get:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (maindomain.com) from /etc/letsencrypt/renewal/maindomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/maindomain.com/fullchain.pem (failure)

I create previous certificates with this command:

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.maindomain.com'  -d maindomain.com

thanks very much !

Hi @anibalardid

then you should share the domain name. Perhaps one version works, another not - but you don’t see it because of a cached redirect. Or use a tool like https://check-your-website.server-daten.de/ to check the redirects.

If you use --manual, --renew can’t work without a replacement of your manual action.

There is a standard template of #help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Can you also show us the output of “certbot certificates”?

From the “certbot renew --dry-run” output, at least one certificate isn’t expiring soon.

(Edit: This post was totally rewritten.)

Thanks both !!

The domain is demoswp.com (and I use subdomains)

I use manual because someone tellme that in another post that I ask about create wildcards

I will go with the template:

My domain is:
demoswp.com

I ran this command:
certbot renew

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (maindomain.com) from /etc/letsencrypt/renewal/maindomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/maindomain.com/fullchain.pem (failure)

My web server is (include version):
Apache/2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes, ssh root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nop

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.28.0

Reports:

https://crt.sh/?q=demoswp.com

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: demoswp.com
Domains: *.demoswp.com demoswp.com
Expiry Date: 2019-05-27 19:16:18+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/demoswp.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/demoswp.com/privkey.pem


Ah, there is a new check.

Your certificate is good

CN=*.demoswp.com
	26.02.2019
	27.05.2019
expires in 46 days	*.demoswp.com, demoswp.com - 2 entries

both domain names are included, so the www and the non-www version is secure -> Grade B >> N (certificate error).

The chain

|Chain (complete)||1|CN=*.demoswp.com|
| --- | --- | --- | --- |
|||2|CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US|

is complete, no mixed content warnings.

People with problems should share a screenshot, I don’t see a problem.

Thanks !
He sendme only this screenshot , and he tellme the problem is with 4g and wifi and with different browsers and incognito mode. …

screenshot:
Imgur

And maindomain too:

This site can’t provide a secure connection

demoswp.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

Checked your site via

https://www.ssllabs.com/ssltest/analyze.html?d=demoswp.com

there is no problem visible.

You have Tls.1.0, 1.1 and 1.2, enough Cipher suites (that may be a problem, some websites have only 2 or 3 cipher), most clients are able to connect.

Do you know which client is used? Or has that user some anti virus software that blocks?

Oh - what’s that? Checked your subdomain via Ssllabs, there is an error (never seen):

https://www.ssllabs.com/ssltest/analyze.html?d=lang1.demoswp.com

Check one of these things:

– Copy –

Assessment failed: Unexpected failure

Known Problems

There are some errors that we cannot fix properly in the current version. They will be addressed in the next generation version, which is currently being developed.

  • No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the “www” prefix (e.g., “www.ssllabs.com”, not just “ssllabs.com”).
  • no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We’ll try to find a different parser to avoid this problem.
  • Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
  • NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that’s most likely the reason.
  • Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can’t provide accurate results, which is why we fail.

Hi ! I saw this link and I didn’t see error, I see Overall Rating “A”

About the computer, he uses Macbook without antivirus/firewall.
And he tried from his iphone too …

It’s very strange for me :frowning:

(he is my business partner)

Can you get him to save the specific link that he’s using? Maybe he’s trying to access the wrong port number or something?

Hi !
He wrote me a few minutes ago, he is now in another city, and it is working well, without changing anything.

Maybe in his city has dns or whatever similar problem ? and maybe cached when site expire certificate ?

And … how can I renew the certbot automatically ? can I recreate cert without manual option ? Or It works well and renew automatically when expires ?

Curious: Ssllabs works now:

https://www.ssllabs.com/ssltest/analyze.html?d=lang1.demoswp.com

Grade A.

Perhaps temporary cached old results?

certbot renew doesn’t work with certificates obtained certbot --manual, which you originally used to get your wildcard certificate, because the wildcard certificate requires using DNS records for authentication.

When you renew your certificate, you’ll have to set different DNS records each time. So the old ones aren’t useful, and Certbot doesn’t know how to do this by itself, unless you give it a script or plugin to interact with a DNS provider API. If you want to do it manually, you should re-run the original Certbot command that you used to request the certificate (and then you’ll have to set the new DNS records at that time).

certbot renew is only usable for non-interactive renewals, which can only be done if Certbot already has all of the information that it needs to complete the renewal by itself.

1 Like

Hi !
Sorry but I don’t understand.

I create cert for domain and wildcards with this command:

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.maindomain.com'  -d maindomain.com

And in my “network” section of digitalocean I have 2 instance of txt record “_acme-challenge.demoswp.com” …

Is it ok or I could create with another way ?

My goal is hace certificate with main domain and subdomains , and could renew automatically if its possible.
PS: I’m root , so I could install plugins or what it is needed…

There’s a Certbot plugin available for Digital Ocean’s DNS service. I believe you should be able to install the plugin with:

sudo apt-get install python3-certbot-dns-digitalocean

and use it by following the instructions here:

https://certbot-dns-digitalocean.readthedocs.io/en/stable/

…though I don’t personally use DO so I haven’t tried it myself.

If that works, it should allow you to renew your certificate(s) automatically. You might also want to add a --deploy-hook to reload your web server after it renews.

2 Likes

Also, for many purposes you don’t need a wildcard certificate. Unless you have thousands of subdomains, or add and remove subdomains many times a week, it may be easy to use non-wildcard certificates and HTTP validation.

thanks ! i will try it !

At this moment I have 4200 subdomains :slight_smile:

thats why I need wildcard hahaha :smiley:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.