Problem renewing already expired certificate

alex.munoz · January 8, 2018, 10:31am

Hello

I have problems renewing an expired certificate.
I tried certbot renew and certbot --force-renewal but I keep getting this error:

lora@sx-lora-test:/$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lora.mydomain.ch.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (lora.mydomain.ch) from /etc/letsencrypt/renewal/lora.mydomain.ch.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lora.mydomain.ch/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
lora@sx-lora-test:/$ sudo certbot --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

I'm new into this ssl certificates stuff.
Thanks

_az · January 8, 2018, 10:37am

Could you show the contents of /etc/letsencrypt/renewal/lora.mydomain.ch.conf ?

alex.munoz · January 8, 2018, 10:40am

Here the content:

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/lora.mydomain.ch
cert = /etc/letsencrypt/live/lora.mydomain.ch/cert.pem
privkey = /etc/letsencrypt/live/lora.mydomain.ch/privkey.pem
chain = /etc/letsencrypt/live/lora.mydomain.ch/chain.pem
fullchain = /etc/letsencrypt/live/lora.mydomain.ch/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
installer = None
account = ca12ecf96f3fc0fe14bd51f7231a6d90
pref_challs = dns-01,
manual_public_ip_logging_ok = True
~

_az · January 8, 2018, 10:51am

I think the issue may be that with Certbot you cannot really call renew on a certificate using the manual authenticator (since it cannot non-interactively renew).

So perhaps the invocation that would allow you to succeed might be to run certbot certonly with the parameters you used initially:

sudo certbot certonly -d lora.mydomain.ch --manual --preferred-challenges dns-01 --force-renewal --manual-public-ip-logging-ok

schoen · January 8, 2018, 6:53pm

That explanation is exactly right. Certificates obtained with --manual without an authentication hook script may only be renewed manually (interactively), while certbot renew only attempts unattended renewals.

alex.munoz · January 10, 2018, 11:16am

Worked perfectly, thanks!

system · February 9, 2018, 11:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.