Hi, I have 2 issues:
1- some people tellme that they has a certificate error to enter to my website:
(I could enter ok)
2- So I want to regenerate certificate to try if it fix the problem.
When I execute certbot renew I get:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (maindomain.com) from /etc/letsencrypt/renewal/maindomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maindomain.com/fullchain.pem (failure)
then you should share the domain name. Perhaps one version works, another not - but you don't see it because of a cached redirect. Or use a tool like https://check-your-website.server-daten.de/ to check the redirects.
If you use --manual, --renew can't work without a replacement of your manual action.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (maindomain.com) from /etc/letsencrypt/renewal/maindomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maindomain.com/fullchain.pem (failure)
My web server is (include version):
Apache/2.4.29
The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
yes, ssh root
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nop
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.28.0
There are some errors that we cannot fix properly in the current version. They will be addressed in the next generation version, which is currently being developed.
No secure protocols supported - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
no more data allowed for version 1 certificate - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
Failed to obtain certificate and Internal Error - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
NetScaler issues - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
Unexpected failure - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.
Hi !
He wrote me a few minutes ago, he is now in another city, and it is working well, without changing anything.
Maybe in his city has dns or whatever similar problem ? and maybe cached when site expire certificate ?
And … how can I renew the certbot automatically ? can I recreate cert without manual option ? Or It works well and renew automatically when expires ?
certbot renew doesn't work with certificates obtained certbot --manual, which you originally used to get your wildcard certificate, because the wildcard certificate requires using DNS records for authentication.
When you renew your certificate, you'll have to set different DNS records each time. So the old ones aren't useful, and Certbot doesn't know how to do this by itself, unless you give it a script or plugin to interact with a DNS provider API. If you want to do it manually, you should re-run the original Certbot command that you used to request the certificate (and then you'll have to set the new DNS records at that time).
certbot renew is only usable for non-interactive renewals, which can only be done if Certbot already has all of the information that it needs to complete the renewal by itself.
And in my “network” section of digitalocean I have 2 instance of txt record “_acme-challenge.demoswp.com” …
Is it ok or I could create with another way ?
My goal is hace certificate with main domain and subdomains , and could renew automatically if its possible.
PS: I’m root , so I could install plugins or what it is needed…
…though I don’t personally use DO so I haven’t tried it myself.
If that works, it should allow you to renew your certificate(s) automatically. You might also want to add a --deploy-hook to reload your web server after it renews.
Also, for many purposes you don’t need a wildcard certificate. Unless you have thousands of subdomains, or add and remove subdomains many times a week, it may be easy to use non-wildcard certificates and HTTP validation.