Newbie needs help with expired certificate of subdomain

I am running my own vServer with Ubuntu 20.04 and Nginx/1.18.0 .
I created a suddomain wordpress.lager-stelle.de . There are two certificates installed, one for www.lager-stelle.de and one for wordpress.lager-stelle.de. The certificate for the last one expired on 2021-12-26.

I am not sure if it is possible to renew the expired certificate or if I have to somehow remove the old one and install a new.

I stopped nginx and tried
sudo certbot renew --cert-name wordpress.lager-stelle.de

It produced this output:

Processing /etc/letsencrypt/renewal/wordpress.lager-stelle.de.conf

Failed to renew certificate wordpress.lager-stelle.de with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/wordpress.lager-stelle.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

The version of my client is: certbot 1.22.0

I would be pleased, if someone helped.

Hi @mr_egbert and welcome to the LE community forum

Please show the output of:
certbot certificates

Do you recall having to manually add a TXT record into your DNS zone a few months back (when you got the cert you have now)?

Additional (interesting) info:

Name:    wordpress.lager-stelle.de
Address: 188.68.33.253

Name:    www.lager-stelle.de
Address: 188.68.33.253

On Jan 2, 2022 a cert was renewed for the "www" name.
And both names resolve to the same IP.
Maybe you can switch to using HTTP-01 authentication (and exclude the wildcard entry from the cert)?

Found the following certs:
Certificate Name: wordpress.lager-stelle.de
Serial Number: 45dd98cf93e7f6d707a89a55264b4d0fe92
Key Type: RSA
Domains: wordpress.lager-stelle.de *.wordpress.lager-stelle.de
Expiry Date: 2021-12-26 16:14:42+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/wordpress.lager-stelle.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wordpress.lager-stelle.de/privkey.pem
Certificate Name: www.lager-stelle.de
Serial Number: 37e9a31dd0d9b334b1eb930dbcaa4dfa073
Key Type: RSA
Domains: www.lager-stelle.de
Expiry Date: 2022-04-02 08:37:24+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/www.lager-stelle.de/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.lager-stelle.de/privkey.pem

I think I added a TXT record. I just looked it up and there is just one txt entry in the table: _acme-challenge.wordpress. (I expected two, one for lager-stelle.de too).

Please show files:
/etc/letsencrypt/renewal/wordpress.lager-stelle.de.conf
/etc/letsencrypt/renewal/www.lager-stelle.de.conf

wordpress.lager-stelle.de.conf

# renew_before_expiry = 30 days
version = 1.19.0
archive_dir = /etc/letsencrypt/archive/wordpress.lager-stelle.de
cert = /etc/letsencrypt/live/wordpress.lager-stelle.de/cert.pem
privkey = /etc/letsencrypt/live/wordpress.lager-stelle.de/privkey.pem
chain = /etc/letsencrypt/live/wordpress.lager-stelle.de/chain.pem
fullchain = /etc/letsencrypt/live/wordpress.lager-stelle.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 91874db438cccf5a1ca3b28ac6985e48
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = manual

www.lager-stelle.de.conf

# renew_before_expiry = 30 days
version = 1.22.0
archive_dir = /etc/letsencrypt/archive/www.lager-stelle.de
cert = /etc/letsencrypt/live/www.lager-stelle.de/cert.pem
privkey = /etc/letsencrypt/live/www.lager-stelle.de/privkey.pem
chain = /etc/letsencrypt/live/www.lager-stelle.de/chain.pem
fullchain = /etc/letsencrypt/live/www.lager-stelle.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 91874db438cccf5a1ca3b28ac6985e48
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

OMG!
I h8 how discourse will just eat edited posts!
[only to regurgitate them a few minutes later]
So, we wait...

wordpress domain was manual/dns
www was nginx/nginx

If that helps

@mr_egbert
Do you need the wildcard cert?
[do you use it with subdomain names left of wordpress.lager-stelle.de?]

No, there are no sudomains left of wordpress.lager-stelle.de, I don't need the wildcard.

Ok try this:

certbot certonly \
 --cert-name wordpress.lager-stelle.de \
 -a nginx \
 -d wordpress.lager-stelle.de \
 --preferred-challenges=http \
 --allow-subset-of-names

[copy/paste all six lines as one command]

Great! It worked!
Thank you very, very much!

@mr_egbert No, you are not done. That was just proving your wordpress domain could be verified using http challenge.

I am posting mostly to alert Rudy that even though you marked this Solution that you have not completed the remaining steps to join the two names in one cert and update your nginx conf.

Probably best if @rg305 finishes the steps with you.

Why is that required?

Just one way to do it. Currently they are serving the www domain cert for the wordpress domain. Seems like more work to do one way or another.

Of course, I could be hallucinating again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.