Let's Encrypt manual renewal

I’ve installed Let’s Encrypt Certificate for my website using this manual tutorial : https://www.kosinix.com/install-lets-encrypt-certificate-on-shared-hosting/ and I was wandering how will I renew the certificate ?

For now you’ll have to follow the same steps each time the cert needs renewing. Hopefully cPanel will finish development on Let’s Encrypt integration soon, once this is done and your hosting company upgrades it can be done automatically.

when I installed the cert, I had a congrats message in addition to the message : To non-interactively renew all of your certificates, run “letsencrypt-auto renew” Doesn’t this mean that I do not need to repeat those instructions in the tutorial?

If you used “manual” mode like in those instructions I don’t think the non-interactive renewal can work.

In the instructions there’s at least one step where you’re actually copying files around, right? That needs to happen again during renewal, so it can’t be automatic, because you’re not automatic. Maybe some day certbot could be improved to send you a text message, “Hey leo10, renewal day can you copy those files across for me again? Let me know when you’re done, KTHK” but that’s not today.

Probably certbot should be improved to not mention this idea if it wouldn’t work anyway (ie if you picked “manual”).

That message applies to all other plugins, but not the manual plugin. The manual plugin cannot be run non-interactively, since the whole idea is to allow you to manually upload the verification files.

well I typed that command and here’s the output: ./letsencrypt-auto renew
Requesting root privileges to run certbot…
/home/me/.local/share/letsencrypt/bin/letsencrypt renew
[sudo] password for me:

Processing /etc/letsencrypt/renewal/mysite.com.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/mysite.com/fullchain.pem (skipped)
No renewals were attempted.
is there any hope for me to use this method or it’s now certain that I must reuse the tutorial every 90 days?

@leo10, you can see what it will look like when it attempts a renewal by running ./letsencrypt-auto renew --force-renewal. However, I believe @pfg is right that it will not be able to complete the renewal process unattended.

yes indeed ./letsencryot-auto renew --force-renewal gives:
Requesting root privileges to run certbot…
/home/me/.local/share/letsencrypt/bin/letsencrypt renew --force-renewal
[sudo] password for me:

Processing /etc/letsencrypt/renewal/mysite.com.conf

2016-07-18 13:19:47,584:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/mysite.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘Running manual mode non-interactively is not supported’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mysite.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Now when renewing I should repeat the steps in that tutorial, but should I retype : ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d mysite.com -d www.mysite.com ?

@leo10, I believe that should work. If you specified the key size before, you probably don’t need to specify it again when you renew.

Our site runs -certonly because they are required in non-common locations (e.g. Mumble certification), but the original files are retained in their original locations and are only linked to. It seems unnecessary to require our jumping through the hoops of a full re-challenge and re-issuance of new certs for such situations, instead of simply auto-renewing like other (Apache, nginx, etc.) users.

Is automated renewal of -certonly installations planned at all?

Automatic renewal with certonly is no problem at all. This post is just about the manual plugin.

There might be a misunderstanding between “auto-renewing” and “auto-configuration” here. Every plugin, whether it’s apache, nginx, webroot, standalone or manual, requires that a challenge is solved and the certificate is re-issued. The difference between the apache plugin and certonly with webroot or standalone is that the apache plugin also knows how to configure apache to use that new certificate and how to reload apache, etc. That’s the part that’s up to you with certonly. Renewal can be automated just fine with either.

Perhaps the issue is with my understanding of the process? I thought that “./letsencrypt-auto renew” was intended to be hands-off and automatically done (about every 80-90 days) once expiration was imminent, without the challenge and re-issuance, and thus it may be performed via cron. Do the other plugins (e.g. Apache) perform an automated challenge solution, perhaps?

That's correct.

No, every issuance, no matter whether it's via certonly, the apache plugin or letsencrypt/certbot renew requires solving a challenge and re-issuing the certificate (where re-issuing just means that Let's Encrypt signs a new certificate on your behalf - there's no way you could do that yourself and still get a publicly-trusted certificate at the end).

All plugins except the manual plugin automatically solve the ownership challenge. That's what the "manual" stands for - you'll have to manually solve the challenge. That's also why it cannot be automated via renew.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.