Issue with certificate renewal

st3fus · January 25, 2023, 12:25pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.myko-minions.com

I ran this command: I just ran the docker-compose up, it should renew it but says it cant be renewed.

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/myko-minions.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate myko-minions.com with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/myko-minions.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx 1.15.2-alpine

The operating system my web server runs on is (include version): AWS EC2 Linux

My hosting provider, if applicable, is: /

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

docker-compose:

ersion: "3.3"

services:
  certbot:
      image: certbot/certbot:latest
      container_name: certbot
      volumes:
      - ./data/certbot/conf:/etc/letsencrypt/
      - ./data/certbot/www:/var/www/certbot/
      command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
      entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
  dashboard:
    build:
      context: ./apps/dashboard/
      dockerfile: Dockerfile
      args:
        SYSTEM_API_URL: ${SYSTEM_API_URL}
        WS_URL: ${WS_URL}
    ports:
      - "${DASHBOARD_PORT}:80"
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot

  site:
    build:
      context: ./apps/site/
      dockerfile: Dockerfile
      args:
        GRAPHQL_API_ROOT_URL: ${SYSTEM_API_URL}/graphql
        SYSTEM_API_URL: ${SYSTEM_API_URL}
    ports:
      - "${SITE_PORT}:80"
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot

  system:
    build:
      context: ./apps/system/
      dockerfile: Dockerfile
      args:

This is just a part of docker-compose, pasted the part which contains certbot parts. Nginx is being run from a Dockerfile (Dont know why, I'm just trying to clean up someone else's mess)

sudo ls -l /etc/letsencrypt/live/myko-minions.com output:

total 4
-rw-r--r-- 1 root root 692 May 16  2022 README
lrwxrwxrwx 1 root root  40 Jan 25 12:20 cert.pem -> ../../archive/myko-minions.com/cert1.pem
lrwxrwxrwx 1 root root  41 Jan 25 12:20 chain.pem -> ../../archive/myko-minions.com/chain1.pem
lrwxrwxrwx 1 root root  45 Jan 25 12:20 fullchain.pem -> ../../archive/myko-minions.com/fullchain1.pem
lrwxrwxrwx 1 root root  43 Jan 25 12:20 privkey.pem -> ../../archive/myko-minions.com/privkey1.pem

sudo certbot certificates output:

Found the following certs:
  Certificate Name: myko-minions.com
    Serial Number: (Removed this, not sure if I should share it)
    Key Type: RSA
    Domains: *.myko-minions.com myko-minions.com
    Expiry Date: 2022-08-14 22:21:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/myko-minions.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/myko-minions.com/privkey.pem

Bachsau · January 25, 2023, 12:38pm

The 'manual' plugin does not support auto-renewal, unless combined with a hook to fulfill the challenge.

https://eff-certbot.readthedocs.io/en/stable/using.html#manual

You will have to run certbot again with the command used to issue the certificate to manually renew it, at which point you can also choose to use a different authentication method to automate future renewals.

st3fus · January 25, 2023, 12:45pm

Sadly, I'm not much experienced with Certbot, do I need to remove some files before re-running the command? Also, I have multiple subdomains there, could you provide me with an quick example command to do so? Googled a bit, can't find someone having an exact issue like mine. What automation method should I choose for the way I'm using?

Bachsau · January 25, 2023, 2:35pm

Not necessarily, if you're going to use the same domains per certificate again. Otherwise you might want to clear out /etc/letsencrypt/renewal/ to make sure it doesn't try to renew old certificates. Those files are created when you first get a certificate and are used by the renew command (which is meant to be called from a cron job) for auto-renewals.

So was I, three weeks ago. Then I read the docs. You should do so, too.

I see you're trying to get a wildcard certificate, which is way more complicated because you have to use DNS for verification. If your DNS provider has API access, your best bet would be to use a plugin specific for that provider. There's also a plugin called 'dns-standalone', which I use to answer DNS challenges on the server itself, but it requires delegation of the _acme-challenge DNS label. If you don't need wildcards, you could resort to the Webroot authenticator, which uses the HTTP challenge. You can still include multiple subdomains by naming then on the command line like -d myko-minions.com,www.myko-minions.com.

Please note that most specialized authenticators are third-party and need to be installed separately before use, and I can't tell you how to do this in a Docker container. I installed Certbot via PIP because everything else seemed like overkill for a script that's not even constantly running.

_az · January 25, 2023, 8:07pm

You've got some good advice so far, I just want to add that since your domain has its DNS hosted with GoDaddy, you can probably use the third-party certbot-dns-godaddy plugin to issue certificates and achieve automatic renewal, which has a Docker image available. This would probably be useful for you.

system · February 24, 2023, 8:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.