Issues renewing cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: git.rsc.mywire.org

I ran this command: letsencrypt renew --manual --manual-public-ip-logging-ok

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/git.rsc.mywire.org.conf

Renewal configuration file /etc/letsencrypt/renewal/git.rsc.mywire.org.conf (cert: git.rsc.mywire.org) produced an unexpected error: ‘Namespace’ object has no attribute ‘manual_test_mode’. Skipping.

No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/git.rsc.mywire.org.conf (parsefail)

0 renew failure(s), 1 parse failure(s)

My web server is (include version): GITLAB Community Edition 10.5.2 docker image

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Hi @rcrook9190

looks like you have a very old config file.

And you use letsencrypt, the old version.

So first step: Check, if there is an update to Certbot - https://certbot.eff.org/

Then make a backup of git.rsc.mywire.org.conf, then delete the file and start new.

certbot -d git.rsc.mywire.org --manual

Which authentication method did you used with --manual?

Perhaps share the content of git.rsc.mywire.org.conf. Or remove only that single line with manual_test_mode.

3

Hi,

When i originally setup this cert I was following a guide for using letsencrypt with the girtlab docker image and the guide used :

# letsencrypt certonly --manual

for setting up the cert. afterward copying the certs to the right location for the container to access them.

this seemed to work fine and I sucsessfully renewed the certs a couplr of times since setting it up.

This is the conf file as it stands, which produces the error in the OP.

cert = /etc/letsencrypt/live/git.rsc.mywire.org/cert.pem
privkey = /etc/letsencrypt/live/git.rsc.mywire.org/privkey.pem
chain = /etc/letsencrypt/live/git.rsc.mywire.org/chain.pem
fullchain = /etc/letsencrypt/live/git.rsc.mywire.org/fullchain.pem

#Options and defaults used in the renewal process
[renewalparams]
no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
duplicate = False
http01_port = 80
init = False
noninteractive_mode = False
key_path = None
fullchain_path = None
email = None
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = manual
manual_test_mode = False
nginx = False
rsa_key_size = 2048
verb = renew
checkpoints = 1
apache = False
cert_path = None
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = <the usual hash stuff>
prepare = False
manual_public_ip_logging_ok = True
chain_path = None
break_my_certs = False
domains = git.rsc.mywire.org,
standalone = False
manual = True
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = "tls-sni-01,http-01"
webroot = False
os_packages_only = False
func = <function renew at 0x7f1430a1a5f0>
user_agent = None
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]

I did try removing the manual_test_mode = False from the file and try again but got a different error:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/git.rsc.mywire.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (git.rsc.mywire.org) from /etc/letsencrypt/renewal/git.rsc.mywire.org.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/git.rsc.mywire.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/git.rsc.mywire.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I have updated certbot to the latest from the ppa. It made no difference. I also used the cert command instead of the letsencrypt command, once again it made no difference to the outcome. same errors.

Sort of lost now.

Randall.

4

Hi @rcrook9190,

--manual is completely incompatible with renew, because renew can only perform non-interactive renewals. Instead, you have to renew certificates with certonly or similar if you’re using --manual.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.