Not able to renew SSL certificate for Apache Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: geotargetus.net

I ran this command: certbot renew

It produced this output:
Cert is due for renewal, auto-renewing…
Non-interactive renewal: random delay of 169.928341364 seconds
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (geotargetus.net) from /etc/letsencrypt/renewal/geotargetus.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/geotargetus.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Centos

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Welcome :slightly_smiling_face:

It looks like you’re trying to use --manual in non-interactive mode, which means that you need to provide scripts via the --manual-auth-hook and --manual-cleanup-hook options to set up the challenges for you (e.g. dns txt records for dns-01 challenges or challenge files for http-01 challenges). You can also get rid of the --non-interactive (-n) option to have the client pause before validating the challenges so that you can manually create the necessary challenge files/records.

How i can fix the same. Please advice me.

Try this:

certbot renew --apache

Looking at https://crt.sh/?q=geotargetus.net, it looks like you’ve been successfully autorenewing for a while. It appears you’ve recently gotten certificates for beta.geotargetus.net and contract.geotargetus.net.

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (geotargetus.net) from /etc/letsencrypt/renewal/geotargetus.net.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Can you please post the contents of your configuration file (/etc/letsencrypt/renewal/geotargetus.net.conf)?

renew_before_expiry = 30 days

version = 1.4.0
archive_dir = /etc/letsencrypt/archive/geotargetus.net
cert = /etc/letsencrypt/live/geotargetus.net/cert.pem
privkey = /etc/letsencrypt/live/geotargetus.net/privkey.pem
chain = /etc/letsencrypt/live/geotargetus.net/chain.pem
fullchain = /etc/letsencrypt/live/geotargetus.net/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
account =
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

Try changing manual to apache and erase dns-01, so that line is only “pref_challs =” then just running certbot renew

1 Like

Getting same error.

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (geotargetus.net) from /etc/letsencrypt/renewal/geotargetus.net.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Hmm…

Let’s try “pref_challs = http-01,” then certbot renew

Try:
certbot renew --apache --preferred-challenges http

[just force it on the command like - if it works it will update the renewal.conf accordingly]

1 Like

@rg305

That’s what I just had him change it to. :+1:

@manveer

When you run various options like what @rg305 suggested, certbot will automatically update the configuration for you. That’s probably more efficient than changing the configuration manually then running without options. :slightly_smiling_face:

I think his editing isn’t taking…

1 Like

@rg305

Can you tag me out on this one Rudy? I really need to run unfortunately. I think we’re close though.

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Attempting to renew cert (geotargetus.net) from /etc/letsencrypt/renewal/geotargetus.net.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS… Skipping.

1 Like

@rg305

Try with :
certbot renew --apache --preferred-challenges http but not working

1 Like

is any body there, who can help me regarding renewal issue.

@rg305 @freessltools.com Looks like you’re trying to force the http-01 challenge to renew a wildcard certificate. That’s obviously not going to work.

@manveer:

As mentioned before, you were using the manual plugin (until @freessltools.com suggested you to erroneously modify your renewal configuration file into a non-working situation), which requires scripts to place and remove the TXT records in the DNS system to get a wildcard certificate. See the certbot documentation about Pre and Post Validation Hooks for more information about those scripts.

You could also choose not to use a wildcard certificate if it isn’t really necessary. But I don’t know how many hostnames are used for that certificate, so only you know that. If you don’t actually need a wildcard certificate (because only a few non-dynamic subdomains are used), you could get a new certificate for just those hostnames with the http-01 challenge.

Another option is to keep using the dns-01 plugin with the wildcard certificate, but not use the manual plugin, but choose one of the DNS plugins, if they are available and installable and your DNS is hosted at a suitable DNS provider (not sure if they are available on CentOS…)

The last but not so good option is to not use certbot renew but use the exact same command you used to get the certificate in the first place every 60 to 90 days. This would still use the manual plugin and still use the wildcard certificate and would require you to add and remove the TXT records manually every time…

This is a Community of volunteers… Please don’t be rude. There was exactly 25 minutes between your posts… I for one will leave this thread now.

2 Likes

I totally missed that :frowning:

1 Like