Issue with renewing certificate

certb0t · July 10, 2021, 10:59am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alkarkhi.com

I ran this command: certbot renew

It produced this output:

Failed to renew certificate alkarkhi.com with error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

My web server is (include version): nginx v1.14.2

The operating system my web server runs on is (include version): Debian v10.10

My hosting provider, if applicable, is: evolution-host.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0

I also switched from Apache to Nginx and I created the certificates when I used Apache. Maybe that's the problem?

danb35 · July 10, 2021, 1:38pm

Probably not. Have you been able to renew the cert before using certbot renew? Because the error message suggests you initially issued the cert using --manual. If you did that, you can't renew automatically, and if you think about it for a minute, the reason is obvious--when you use --manual, cert issuance requires manual intervention. If you're running non-interactively (as renew does), there's no way to provide that manual intervention.

certb0t · July 10, 2021, 2:01pm

@danb35 Yes I think I used --manual. How would I change it to automatic

rg305 · July 10, 2021, 4:58pm

I see:

Addresses: 2001:41d0:800:2e90:6d72:2ffb:8267:1
           51.195.152.242

With different replies:

curl -Iki6 alkarkhi.com
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3444

curl -Iki4 alkarkhi.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 10 Jul 2021 16:58:15 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.alkarkhi.com/

certb0t · July 10, 2021, 6:31pm

Thanks for the heads up. My ISP doesn't give out ipv6 addresses for some reason so its hard to check if its working right. Can you check again?

griffin · July 10, 2021, 6:33pm

Hello

Being sure to heed what @rg305 has wisely pointed out, you might be able to use the following:

sudo certbot --cert-name alkarkhi.com --nginx -d "alkarkhi.com,www.alkarkhi.com"

certb0t · July 10, 2021, 6:35pm

@griffin Hello. Whats the difference to:

sudo certbot --cert-name alkarkhi.com --nginx -d "alkarkhi.com,*.alkarkhi.com

griffin · July 10, 2021, 6:37pm

It uses the nginx authenticator, which automatically satisfies http-01 challenges, instead of the manual authenticator, which does not.

rg305 · July 10, 2021, 6:38pm

No change.

griffin · July 10, 2021, 6:39pm

I see a huge change, @rg305.

rg305 · July 10, 2021, 6:40pm

"*" and "www" are handled very differently.
Certs that contain wildcards must be handled by DNS authentication (ONLY).

griffin · July 10, 2021, 6:41pm

@rg305

I think @certb0t's nginx configuration has special handling for .well-known. If you look in the first Let's Debug blue box, you'll see what I mean.

griffin · July 10, 2021, 6:44pm

@rg305

If you curl http://alkarkhi.com/.well-known/acme-challenge/test, do you get differing responses?

certb0t · July 10, 2021, 6:44pm

@rg305 So I'll have to manually add new subdomains then if I want automatic?

rg305 · July 10, 2021, 6:45pm

I see the forwarding, but if the rest of the site is not serving the same content, then I can only assume they are either not on the same system or won't provide the same content once secure.

Recall that step one is having a fully functional web site.
This seems to fail that as is.

rg305 · July 10, 2021, 6:46pm

DNS authentication can be automated - if the DSP is known to work with the ACME client being used.

griffin · July 10, 2021, 6:46pm

I'm only seeing a SERVFAIL for the A record right now, which is odd since both the A and AAAA records are returned.

certb0t · July 10, 2021, 6:47pm

DNS authentication can be automated - if the DSP is known to work with the ACME client being used.

Does that depend on the CA?

griffin · July 10, 2021, 6:47pm

Clean now.

rg305 · July 10, 2021, 6:48pm

No but that doesn't negate the lack of synchronization of the rest of the site.
So that even if we "WIN". we will soon see another TOPIC with "Sometimes my site works and sometimes it doesn't after install LE cert."
[When it did that even before the cert was obtained]